Aaron’s Law Takes Shape
Digital activist Aaron Swartz took his own life on January 11. Swartz was facing federal hacking charges after being arrested for downloading millions of articles from JSTOR from MIT’s network in excess of his access. Since Swartz’s suicide, activists, scholars and legislators have been at work on reforms to the law under which he was prosecuted—the Computer Fraud and Abuse Act, or CFAA.
Calls to reform the CFAA are not brand new. Villanova law professor (and my former boss) Michael Risch wrote about the CFAA’s “scary” implications in 2011. Risch wrote that, in his opinion, the most accurate interpretation of the CFAA was “Anyone using a website who starts using information from it in a way that the web operator clearly does not desire could theoretically be criminally liable. Now that’s scary.”
That is essentially the scenario in which Swartz and Andrew Auernheimer found themselves. Swartz had access to JSTOR through an account, but exceeded his access level by downloading content in massive quantities. Auernheimer accessed an AT&T login page with a simple exploit that made it spill over 100,000 iPad owners’ email addresses—arguably exceeding authorized access because AT&T only authorized use of the site to actually log in, not to harvest email addresses.
Professor Orin Kerr, a former prosecutor and expert in computer crime law at George Washington University, evaluated the charges against Swartz in a long piece he wrote shortly after his death. Kerr concluded that “the legal charges against Swartz were pretty much legit” and “what Swartz was alleged to have done fits pretty well with the charges that were brought.” (Not all commentators agree.)
Together, Swartz’s suicide, his stature in the activist and tech communities, and perhaps the growing recognition that his prosecution was legally sound, have catalyzed efforts to reform the CFAA. On January 16—just five days after Swartz’s death—Rep. Zoe Lofgren (D-OR) posted a draft bill to revise the CFAA, dubbed “Aaron’s Law,” on Reddit.
Professor Kerr took issue with Lofgren’s bill and made his own initial reform recommendations on January 16, which he followed up with a more thorough proposal on January 20. Notably, Kerr would entirely eliminate liability for “exceeding authorized access”—leaving only liability for the much cleaner scenario of access “without authorization”—and also would drop the law’s civil liability provision. The EFF also marked up Lofgren’s bill with its own clarifications, focusing on assuring that violations of a terms-of-service agreement aren’t a crime.
Jennifer Granick, a scholar and computer crime defense attorney at Stanford’s Center for Internet and Society, addressed Kerr’s proposal in a January 23 post, calling it “a great second step.” However, Granick took issue with Kerr’s definition of “accesses without authorization,” which focused on “circumvent[ing] technological access barriers.” Granick believes this still casts too wide a net, and would catch people who do some sort of circumvention for legitimate reasons, including security researchers or terms-of-service violators. Granick echoes the EFF’s position there, stating that TOS violations must be clearly excluded from the reach of criminal law.
Professor Kerr posted again on January 27, looking to further refine the definition of “accesses without authorization” by polling his readers on whether six hypothetical scenarios should result in criminal liability—a sort of regression testing for legislation.
Rep. Lofgren posted an updated draft of her bill on February 1. The update incorporated many of Kerr’s and EFF’s comments, but both were still quick to pick apart the new text. The EFF wanted more clarity on beneficial circumvention and penalties, and Kerr found flaws in Lofgren’s complex definition of “access without authorization.”
Lofgren has said she plans to introduce Aaron’s Law in Congress soon, but whatever she introduces will be just the first input in a long process. One takeaway from the collaborative drafting process so far is that, despite inviting input from the entire Internet, the most useful and influential comments have come from traditional non-profit advocacy groups and academia. I suspect this is mostly because understanding complex statutes like the CFAA is just hard.
For those interested, Lawrence Lessig is scheduled to give a webcast lecture about Aaron’s Law from Harvard Law School on February 19, and, later the same day, Stanford is holding an event on the CFAA including Jennifer Granick, Brewster Kahle, and Ed Felten.