What Is Aaron’s Law and Why Does It Matter?
Rep. Zoe Lofgren and Sen. Ron Wyden introduced Aaron’s Law on Thursday, a bill that would reform the anti-hacking law used against internet activist Aaron Swartz, who committed suicide while facing hacking charges that could have put him in jail for decades.
Swartz’s suicide in January galvanized protests that the Computer Fraud and Abuse Act, passed in 1984, has grown wildly outdated in the age of ubiquitous internet access, and that it offers prosecutors discretion to threaten huge potential fines and jail sentences for relatively undeserving violations of computer policy. Carmen Ortiz’s U.S. Attorney’s Office charged Swartz with hacking into the MIT computer network to download millions of scholarly articles from JSTOR, an act of civil disobedience meant to protest the restricted access to research funded by taxpayers. For this, the U.S. Attorney brought charges that carried a a maximum penalty of 35 in prison and $1 million in fines. His family said the government’s prosecution contributed to his decision to take his life.
Swartz, then, provided a sympathetic face for the consequences of leaving the bill unamended. The legislators are trying to fix the CFAA in a couple ways. (For further reading, the bill is here, and the explanation is here.)
First, the CFAA as written punishes “exceeding authorized access” to a protected computer, a phrase vague enough to inspire some broad interpretations. The bill borrows ideas for clarifying it based on a few circuit court opinions. In a 2012 ruling from the Ninth Circuit, for instance, Chief Judge Alex Kozinski irreverently laid out the consequences if we allowed an overly broad interpretation of that phrase:
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
Aaron’s Law removes the phrase “exceeds authorized access” and replaces it with “access without authorization,” which it defines as, “to obtain information on a computer that the accesser lacks authorization to obtain, by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.” Basically, you shouldn’t be prosecuted for violating a term of service that you probably didn’t read before hitting “I Agree.” You have to knowingly circumvent a password or a locked office intended to keep you out.
That seems useful, but Swartz wasn’t exactly charged with doing the crossword at work. To complete the download of JSTOR’s articles, he had to break into a wiring closet at MIT, a university where he wasn’t even enrolled, an action that seems like it would still be actionable even with the amendments in the bill named for him. But the second piece of Aaron’s Law is more relevant to his case. It seeks to limit the prosecutors’ ability to throw huge potential penalties at violators. Describing their bill in Wired, Wyden and Lofgren wrote of those redundancies:
Another flaw in the CFAA is redundant provisions that enable a person to be punished multiple times … for the same crime. These charges can be stacked one on top of another, resulting in the threat of higher cumulative fines and jail time for the exact same violation.
This allows prosecutors to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a single, solitary act. It also plays a significant role in sentencing. The ambiguity of a provision meant to toughen sentencing for repeat offenders of the CFAA may in fact make it possible for defendants to be sentenced based on what should be prior convictions — but were nothing more than multiple convictions for the same crime.
Aaron’s Law contains language that seeks to prevent multiple punishments for the same action.
All these seem like important updates. Who could expect a law drafted in the 1980s to keep up with the revolution in internet connectivity we’ve seen in the decades since? But that’s not to say Aaron’s Law is going to be an easy sell. Swartz’s case elicited an outpouring of sympathy for this cause on the internet, but in Congress and elsewhere, legislators might have concerns. As Justin Peter writes in Slate, “Congressmen, like most people, care a lot more about meting out punishment to ‘bad hackers’ than they do about offering justice to ‘good hackers, and I think a lot of them will be susceptible to arguments that Aaron’s Law might make it harder for prosecutors to go after the bad guys and put them in jail.” And already, a trade group called the BSA protested that the bill would require companies to set up technological hurdles to ensure that their information is legally protected.
So expect there to be a debate, a long overdue one. And if you learned anything about Swartz’s supporters in the wake of his death, expect it to be vocal.