The suicide last month of coder and internet activist Aaron Swartz prompted an outcry about the manner in which a U.S. attorney used anti-hacking legislation to launch a heavy-handed prosecution for what many considered a minor infraction.
Federal prosecutors in Boston defended their actions, saying they were only upholding the Computer Fraud and Abuse Act, under which Swartz was charged.
But two lawmakers are proposing long-overdue changes to the law that would help prevent prosecutors from overreaching in their use of the law, as has occurred in a number of cases in recent years.
The amendments, referred to as Aaron’s Law (.pdf) by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon), exclude breaches of terms of service and user agreements from the law and also limits the scope of the definition of unauthorized access to make a clear distinction between criminal hacking activity and simply acts that exceed authorized access on a minor level.
Under the amendments, which the two lawmakers refined after seeking input from members of the Reddit community and others, defines unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer.
The amendment makes it clear that the act of circumventing would not include a user simply changing his MAC or IP address to gain access.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren, or someone in her office, wrote on Reddit announcing the changes.
Wyden spokesman Tom Caiazza characterized the proposed bill as the “first steps toward pulling back the law from the abusive place it is now.”
The 26-year-old Swartz was found dead on Jan. 11 this year of an apparent suicide. Swartz suffered from depression, but his death has been attributed in part to the increasing money pressures he faced over his upcoming trial, which was scheduled for April, and his fear of spending time in prison.
Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he allegedly gained entry to a closet at MIT and connected a laptop to the university’s network in order to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer after MIT blocked his MAC address.
Although Swartz later handed over a hard drive that contained the documents, and JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz, with U.S. Attorney Carmen Ortiz insisting that “stealing is stealing.”
Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Government Reform committee, and ranking minority leader Elijah Cummings (D-Maryland) recently sent the Justice Department a letter asking what motivated the prosecution in light of JSTOR’s decision not to pursue a complaint and also asked why prosecutors felt the need to pile on more charges against Swartz after he was initially charged. They wrote in their letter that it appeared that prosecutors intentionally bulked up the felony counts against Swartz in order to increase the amount of time in prison he would face.
On July 14, 2011, federal prosecutors charged Swartz with four felony counts, including wire fraud, computer fraud, theft of information from a computer and recklessly damaging a computer. Then on Sept. 12, 2012, prosecutors filed a superseding indictment with thirteen felony counts.
“It appears that prosecutors increased the felony counts by providing specific dates for each action, turning each marked date into its own felony charge, and significantly increasing Mr. Swartz’s maximum criminal exposure to up to 50 years imprisonment and $1 million in fines,” the lawmakers wrote in their letter (.pdf).
Swartz, who did some coding for Wired and was at one time employed by Wired’s parent company, was reportedly offered a plea agreement that would have had him serving 7-8 months in prison if he pleaded guilty to 13 felony counts. Prosecutors threatened that if the case went to trial they would seek a prison sentence of 7-8 years. Swartz reportedly turned down the plea because he did not want to spend any time in prison or carry the burden of a felony conviction, which would have restricted his choices in life.
His family has blamed his suicide in part on the overzealous prosecution by the Justice Department.
Swartz is not the only person who got caught up in a zealous prosecution under the CFAA
Missouri mother Lori Drew was indicted in 2008 under the law for violating MySpace’s terms of service when she and others created a fake account that was used to harass and bully a teenage girl who subsequently killed herself. Drew was convicted of lesser misdemeanor charges by a jury who didn’t think prosecutors had proved the felony charges, but even that conviction didn’t stand up. A judge later vacated the judgment on grounds that the CFAA was “constitutionally vague” for the purpose that prosecutors were trying to use it and noted that if Drew’s conviction stood, it would set a dangerous precedent to charge anyone who violated a terms of service agreement online.
And last year Andrew Auernheimer, aka weev, was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization after he and a friend discovered a hole in AT&T’s website that allowed anyone to obtain the e-mail address and ICC-ID of iPad users. They discovered that the site would leak e-mail addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” – to mimic the behavior of numerous iPads contacting the web site in order to harvest the e-mail addresses of iPad users to prove that the vulnerability placed the privacy of users at risk.
Lofgren, in her post to Reddit, indicated that she thinks more changes need to be made to the law than what she and Wyden are proposing.
“As our discussions have continued, it is clear that many believe a thorough revision of the CFAA and substantial reform of copyright laws are necessary. I agree,” the post reads. “’Aaron’s Law’ is not this complete overhaul, but is a first step down the road to comprehensive reform. If we succeed in getting this draft bill enacted into law, it will be in honor of Aaron Swartz, and should be seen as a beginning of a concerted effort to bring reform to these broader issues.”
“The chances of success – whether for “Aaron’s Law” or other proposals – will depend greatly on the degree of positive public engagement and support to change the law,” the post reads. “As SOPA showed, when the Internet speaks, lawmakers listen. I think with enough constructive support we can have an opportunity to pass ‘Aaron’s Law.'”
Demand Progress, the group that Swartz cofounded, has set up a page online to make it easy for constituents to contact their lawmakers urging support of the amendments.