Aaron’s Law Would Dial Back Hacking Prosecutions
Aaron Swartz at the the 2009 Boston Wiki Meetup.
CREDIT: Sage Ross/Creative Commons
Legislation that would make it more difficult for the government to prosecute people for violating an online company's terms of service was introduced today (June 20) by U.S. Rep. Zoe Lofgren (D-Calif.).
The bill, called Aaron's Law in remembrance of the late activist Aaron Swartz, would modify the Computer Fraud and Abuse Act (CFAA), the law that makes unauthorized use of a computer a federal offense.
If passed, Aaron's Law would change the CFAA so that violating terms of service, website notices, contracts or employment agreements could no longer be considered a federal offense.
The bill would also remove perceived redundancies in the CFAA wherein a person can be charged multiple times for the same crime.
[See also: How to Fix America's Harmful Hacking Laws]
"Vagueness is the core flaw of the CFAA," Lofgren wrote in a Wired.com Op-Ed, explaining that the way the CFAA is currently phrased, any breach of a digital company's terms of service — such as, conceivably, sharing a Netflix password with friends or lying about your age on Facebook — could be considered a federal offense.
Lofgren began drafting the bill in January, and even went to Reddit, a popular online discussion forum that Swartz co-founded, to solicit public opinion.
Now the bill will make its way through the House of Representatives and, if it survives, eventually go to President Barack Obama's desk to be signed into law. Sen. Ron Wyden (D-Ore.) is expected to introduce a companion bill in the Senate soon, according to The Hill.
Swartz was charged in 2011 for allegedly using Massachusetts Institute of Technology servers to download a total of 4 million academic journal articles from JSTOR, a digital library that offers subscription-based access.
Neither JSTOR nor MIT pressed charges. But a Middlesex County (Mass.) Superior Court grand jury indicted Swartz in 2011 with breaking and entering, grand larceny and unauthorized access to a computer network. Concurrent federal charges would have put him in prison for a possible 35 years, if found guilty.
Later, in September 2012, the U.S. attorney for Massachusetts issued a second federal indictment that superseded the earlier ones, adding nine charges and 15 more years to the penalty.
Swartz committed suicide in his Brooklyn apartment in January 2013.
His death was the catalyst for Lofgren's bill. "This flaw in the CFAA allows the government to imprison Americans for a violation of a non-negotiable, private agreement that is dictated by a corporation," Lofgren wrote. "…The law must separate its treatment of everyday Internet activity from criminals intent on causing serious damage to financial, social, civic, or security institutions."
Aaron's Law doesn't change the parts of the CFAA that make use of viruses, malware, denial-of-service attacks and other malicious cyberattacks illegal.
A detailed summary of the proposed changes to the CFAA can be found here.
Others in the legislature are proposing strengthening the CFAA. A draft bill to that effect was first circulated this March but has not been officially introduced in either the Senate or the House of Representatives.