'Aaron's Law' rewrite backfires, reformers now on defensive
Congressional sausage-making in Washington threatens to rewrite a controversial anti-hacking law used against the late Aaron Swartz -- by replacing it with an even more Draconian version.
For years, criminal defense attorneys, academics, and civil libertarians have warned that an anti-hacking law, originally designed to protect NORAD's computers, needs to be reformed. Federal prosecutors have used the law to prosecute the late Aaron Swartz and a Missouri woman accused of lying on her MySpace profile.
Now a key U.S. House of Representatives committee finally is rewriting the Computer Fraud and Abuse Act. But instead of fixing the law's vagueness problems, or reducing its penalties, draft legislation backed by the Justice Department would make it even more Draconian.
It's a bitter setback to the reform coalition, which responded this morning with a letter (PDF) to Congress opposing the proposed expansion. "Unfortunately, the draft under discussion is a significant expansion of the CFAA at a time when public opinion is demanding the law be narrowed," it says. A committee vote is expected within the next month following a House Judiciary hearing that took place on March 13.
The letter, signed by representatives of the ACLU, Americans for Tax Reform, the Electronic Frontier Foundation, FreedomWorks, and the National Association of Criminal Defense Lawyers, among others, warns that the draft bill "would make it a felony to lie about your age on an online dating profile if you intend to contact someone online."
Today's letter comes the same week as Swartz's criminal trial was scheduled to have begun in Boston. He was accused of 13 felony counts relating to connecting a computer to MIT's network without authorization and retrieving over 4 million academic journal articles from the JSTOR database (he was permitted to access JSTOR because of a Harvard affiliation, but not to perform a bulk download).
Supporters of Swartz, who committed suicide in January, which his father has blamed on an out-of-control prosecution, are planning a noon rally on April 13 in Boston's Dewey Square Park. Aaron's partner, Taren Stinebrickner-Kauffman, Harvard law professor Yochai Benkler, and criminal defense attorney Harvey Silverglate are slated to speak.
The rally and subsequent march to Boston's federal courthouse are designed to demonstrate support for reforming the CFAA. Also supporting the CFAA-reform effort is the so-called Internet Defense League, which includes Mozilla, WordPress, Reddit, Fark, and Imgur, companies that were active in last year's successful effort to defeat the Stop Online Piracy Act (SOPA).
"Aaron's trial was set to begin today," Stinebrickner-Kauffman said in a statement on Monday. "We would have been in the courtroom for the next two weeks fighting unjust charges under an unjust law... We owe it to Aaron to make sure this can never happen again."
CFAA reformers -- who had hoped to enact "Aaron's Law in honor of the late activist -- have been left reeling from the proposal that veers in the opposite direction. Not helping their cause is a sharp increase in concern among Washington officialdom about cybersecurity and computer intrusions, especially from China, after disclosures by the firm Mandiant in February.
The current CFAA expansions are nearly identical to a previous Obama administration effort two years ago. Instead of trying to fix the law by excluding terms of service violations, the White House proposed additions in 2011 it described as (PDF) enhancing "the criminal penalties," inserting additional types of violations, and punishing some CFAA-related offenses as criminal racketeering under a 1970 law intended to target organized crime.
The Center for Democracy and Technology warned at the time that, under President Obama's plan (PDF), someone who jailbreaks his iPad and "shares with others the code that he used to gain access" would become "subject to criminal penalty."
That nearly became law. Sen. Patrick Leahy (D-Vt.), head of the Senate Judiciary committee, incorporated the administration's request into a bill backed by the Justice Department and other Democrats including Connecticut's Richard Blumenthal and New York's Chuck Schumer. Like the earlier expansions, it was endorsed by the Justice Department: James Baker, deputy attorney general, predicted it will ensure that "cybercrime is deterred effectively and punished appropriately." Treating certain CFAA violations as racketeering "strikes me as appropriate here," Baker said.
Leahy's proposal, which went by the not-entirely-descriptive title of Personal Data Privacy and Security Act, was approved by the Senate Judiciary committee in November 2011 with some amendments, but then stalled. Undaunted, Leahy tried again last summer by proposing similar CFAA-strengthening language as an amendment to then-senator Joe Lieberman's broader cybersecurity bill, which died in the Senate last year.
Orin Kerr, a former Justice Department prosecutor and law professor at George Washington University who testified at last month's CFAA hearing, says the new proposal "is mostly" the Justice Department's 2011 language. He added in a blog post:
This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are. In short, this is a step backward, not a step forward. This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.
The Electronic Frontier Foundation has proposed its own version of "Aaron's Law," which follows the same broad principles at Rep. Zoe Lofgren's suggestion. Engine Advocacy and startups including OpenDNS, PadMapper, and Stack Exchange have endorsed that approach, telling (PDF) the House Judiciary committee that the current version of the CFAA threatens "developers and entrepreneurs who create groundbreaking technology."
Today's letter from the advocacy groups, which Kerr also signed, is directed at Rep. Bob Goodlatte (R-Va.), the chairman of the House Judiciary committee, and Rep. Jim Sensenbrenner (R-Wis.), the crime subcommittee chairman.
"It may be time for Congress to augment the CFAA," Sensenbrenner said during last month's hearing. "[I] applaud the administration for its efforts."
Goodlatte said in a prepared statement last month that: "Congress can and must do more. The Judiciary Committee is responsible for ensuring that our federal criminal laws keep pace with the ever-evolving cyber landscape."
CNET contacted representatives of Goodlatte and Sensenbrenner today to ask them if they support or oppose the Justice Department's proposal to expand the CFAA. We have not yet received a response and will update this article if we do.