Internet activist Aaron Swartz's suicide last January galvanized calls for an overhaul of the Computer Fraud and Abuse Act (CFAA), used widely by the government to prosecute misdeeds that critics say the law was never intended to address. Yet, one year after Swartz's death, efforts to reform the law appear to have made little headway.
Aaron's Law, a bill that would have put important new restrictions on use of the CFAA by federal prosecutors stalled in Congress last year despite eliciting wide support from privacy and rights advocacy groups. The bill was sent to the House Judiciary Committee's Crime Terrorism, Homeland Security and Investigations subcommittee in June where it languished.
Internet activist Aaron Swartz speaking at the Freedom to Connect conference in Washington in May 2012. (Photo: Peretz Partensky via Wikimedia Commons)
While Swartz's legions of supporters remain intent on reforming the law, the appetite for change in Washington has diminished considerably. A bill introduced by Sen. Patrick Leahy (D-Vt.) earlier this month, seeks to tweak the CFAA, but in a manner that raises new issues, according to some observers.
The furor over the Edward Snowden leaks also diverted attention from CFAA reform, making it uncertain whether change to the act will happen this year.
"Unfortunately, little has changed on the CFAA front," after Swartz's death, said Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation. "Since the Snowden/NSA stories broke, much of the attention has turned to that fight."
Leahy's recently introduced bill may bring more attention and momentum to the fight to scale back the CFAA, but it's to soon to say for sure, Fakhoury said.
Swartz, 26, hanged himself Jan. 11, 2013, apparently over concerns of spending a long time in prison on hacking charges. Federal prosecutors in Massachusetts had indicted Swartz on 13 counts of felony hacking and wire fraud charges in connection with his alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents.
Swartz, a co-founder of the online news aggregation site Reddit and co-author of the RSS 1.0 Web feed specification, downloaded the documents from an MIT server using an account that he had set up with a fake name and email address.
Swartz, who was a fellow at Harvard University at the time, claimed he downloaded the scholarly documents so he could make them available for free on the Internet. The JSTOR documents are typically sold by subscription to universities and other institutions.
Federal prosecutors accused him of breaking provisions of the CFAA, which among other things, makes it illegal for anyone to knowingly access a computer without authorization or to exceed their authorized use of a system.
The law provides for penalties of up to life in prison for hacking. Prosecutors allegedly led Swartz into believing he faced 35 years in prison for his actions -- a prospect that is believed to have spurred his decision to kill himself.
The CFAA, drafted by Congress in 1986, was originally designed to deter criminal hacking for data theft or sabotage. Critics of the law say that its loose definition of key terms, like those related to unauthorized access and exceeding authorized access, have allowed creative prosecutors to apply the CFAA to a broader set of circumstances.
The critics have noted that over the years hardline prosecutors have used the law to criminalize such transgressions as violating a website's terms of service agreements or a company's internal computer use terms.
People have been indicted under the law for creating email accounts and social media profiles using fake email addresses. Others have been banned from logging onto specific websites for not adhering to the site's terms of service agreements. Theoretically at least, the law makes it a felony to provide fake information when filling out a social media profile, the law's critics say.
They also say that even misdemeanors become felonies with disproportionately punitive punishments under CFAA.
Aaron's Law, introduced last June by Sen. Ron Wyden (D-Ore.) and Reps. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wisc.) sought to address some of the issues by deleting certain terms and tightening the definition others.
With its failure to advance, however, change has remained elusive.
"I don't think we are any closer to CFAA reform than we were a year ago," said Eric Goldman, a professor at the Santa Clara University School of Law. "Any reform impetus that was spurred by Swartz's death has probably dissipated."
Some federal courts have begun to make a "brighter distinction" between intruders, who never had authorization to access a third party's computer, and legitimate users, who lost or exceeded their access, he said.
Despite this, "we still need structural CFAA reform, and we need similar changes in overbroad state computer crime laws," Goldman said.
Shawn Tuma, an attorney with the law firm BrittonTuma in Plano, Texas, who has defended clients in CFAA lawsuits, said the real problem is not with the law, but the manner in which prosecutors have applied it.
"I think the CFAA is a powerful and good tool," Tuma said. "But we have seen some horrible abuses [of the law] by government," he said.
The law needs to be revised in order to allow for lesser charges such as misdemeanors, Tuma said. "I don't agree with felony charges for terms of service and contract violations."
But scrapping the law or making wholesale changes to it, as some are calling for, is not a good idea, he said. The CFAA is an effective tool against data theft and sabotage. Businesses need such laws to keep information secure, he said. Congress realizes that, which is why it has been so reluctant to support calls for CFAA reform in a bigger way, he said.
Swartz's death, and the subsequent calls for CFAA reform, have also made both prosecutors and courts more careful in ensuring that the law is applied in the spirit in which it was written, Tuma said.
A coalition of Internet companies and privacy groups plan an online protest against government surveillance of Internet users on Feb. 11, in memory of Swartz.
This article, A year after Swartz suicide, reform of anti-hacking law remains elusive, was originally published at Computerworld.com.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.