The Internet activist Aaron Swartz was hounded for two years by federal prosecutors intent on maintaining the social fiction that excessive unauthorized downloading is a prison-worthy crime. When he killed himself in January 2013, Swartz had been charged with 13 felonies, 11 of which fell under the Computer Fraud and Abuse Act, pertaining to his allegedly unauthorized downloading of nearly 5 million academic journal articles from the nonprofit database JSTOR. The charges could have theoretically earned him up to 50 years in prison.
After Swartz’s death, Rep. Zoe Lofgren introduced a bill called Aaron’s Law that would have reformed some of the CFAA’s most frustrating provisions. The bill died in committee, reportedly after Oracle and other tech companies lobbied against it. Earlier this week, Lofgren, Sens. Ron Wyden and Rand Paul, and a few other legislators re-introduced Aaron’s Law. It will probably die again.
The new Aaron’s Law is a good bill that would restore some balance to a bad law. It amends the CFAA to clarify that the law does not apply to mere terms-of-service violations. It strikes the CFAA’s largely redundant Section 4, which effectively allows prosecutors to charge defendants twice for the same offense. It is precise where the CFAA is vague and expansive, which is how the tech corporations of America like it. And as long as they’re willing to lobby in favor of the status quo, that status quo will be very hard to change.
How bad is the CFAA? You can read its text here. The tl;dr version is this: Like most bad laws, the CFAA is bad primarily because it is disproportionate. America’s federal computer-crime laws began as a response to legislators’ paranoid imaginations more so than any real-world threats. And the laxity with which these laws have been conceived and amended—and the increasing severity of their corresponding penalties—has had serious consequences.
The CFAA began life as the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984. It was enacted to protect federal and financial-industry computers from malicious hackers who may or may not have actually existed. At that time, “computer crime” was as problematic as “moon crime,” in that both primarily existed in the realm of fiction. There was no reliable data to indicate just how big a problem computer crime posed to America’s computer owners, if, indeed, it posed a problem at all. But as Richard C. Hollinger and Lonn Lanza-Kaduce wrote in an 1988 article in Criminology, “ ‘Computer crime’ presented activist legislators with an ideal issue with which to maximize personal media exposure without offending any major constituency.” Then-Rep. Bill Nelson, who had championed a similar law in the Florida state Legislature, made computer crime one of his pet issues upon his election to Congress. Nobody really listened until 1983, upon the release of the movie WarGames, which was about a teenager accessing a government computer and almost causing a nuclear war. This is sort of like outlawing two-story houses in response to the film The People Under the Stairs.
A 1983 congressional hearing on computer security began with a clip from WarGames in which the main character hacked into a school computer in order to change his grade (“a sequence I’m told is quite realistic in terms of what real hackers do,” announced Rep. Dan Glickman). The clip was followed by testimony from “a real, live hacker”: a Milwaukee teenager named Neal Patrick, who had recently appeared on the cover of Newsweek as one of the so-called 414 hackers, so named for the area code of the Milwaukee region where they lived. The 414 hackers were not malicious hackers. They were hardly hackers at all. They found a list of default passwords on an online bulletin board and used those passwords to gain access to systems whose managers had been too lazy or stupid to change the password from the factory default. Once they were inside the systems, they committed no intentional damage.
Nevertheless, the attention around these incidents and a few others was enough to make it seem like a federal computer-crime statute was very, very necessary. “I think what this country’s seeing is the development of a new concept in law-breaking,” said then-Rep. Ron Wyden in 1983. “One of its most tragic and profound implications is that it attracts some of the brightest young people who seem to fail to recognize the ethical and moral implications of their actions.”
When Congress first started considering what would become the CFAA, it decided that passing one broad law covering all manner of computer crimes was preferable to passing dozens of individual laws covering dozens of individual crimes. “The price for this legislative expediency is that one relatively brief statute is applied to a range of disparate activities such as fraud, trespass, spam, phishing, worms, viruses and denial of service attacks,” wrote Greg Pollaro in the Duke Law & Technology Review. “This has inevitably forced square pegs into round holes.”
Since the CFAA was first enacted in 1984, it has been repeatedly amended and expanded to the point where a law initially intended to protect banking records and classified government documents has become a vague and insinuating statute that invites prosecutors to classify digital trespassing as burglary and gives them the latitude to effectively charge people multiple times for a single offense. The current CFAA allows prosecutors to charge people with felonies for exceeding authorized access to a protected computer, which the statute defines as any computer engaged in interstate commerce or communications. This describes every single computer with an active Internet connection. In many cases, simply violating a website’s stated terms of service is enough to technically render you an offender. Ever share your New York Times login credentials with a friend or co-worker? Congratulations: You may have just violated the CFAA. See you in federal prison!
The Times, of course, is not in the business of prosecuting people for sharing their passwords. But other entities are more than willing to threaten employees or users with criminal liability for exceeding authorized access. And that’s the main reason why this terrible law resists change. Corporations want to have this law on the books in order to dissuade disgruntled employees or ex-employees from breaching their contracts and also to dissuade users from modifying or sharing their products without authorization. In an economy that depends on the artificial maintenance of informational scarcity, corporations will always support laws that punish the evasion of access controls. And without a public outcry commensurate with that which helped stop the Stop Online Piracy Act and the Protect IP Act in 2012, the CFAA will never be fixed.
For now, the CFAA fails to adequately balance the interests of computer proprietors with those of computer users and heavily favors the former over the latter. It criminalizes routine online behaviors and expediencies, like sharing passwords or violating a site’s terms of service. A good rule of thumb is that if a law is routinely broken by most people, the problem is with the law and the way it fails to account for how people actually live. And so it’s all the more unfair when prosecutors do decide to arbitrarily enforce these laws and make an example out of someone.
There should, of course, still be federal computer-crime laws. Computer crime exists, just like real-world crime exists, and identity thieves, credit-card fraudsters, spies, vandals, and other malicious hackers should be prosecuted and punished for their destructive antisocial behaviors. But there’s a difference between “destructive online behavior” and “the way we live now.” A fair federal statute would acknowledge that difference and stop making felons out of trespassers.