Death of Swartz could yield reform of anti-hacking law

Share this article:

The suicide of Aaron Swartz, the computer programmer and freedom-of-information activist who was slapped with computer intrusion charges that could have imprisoned him for 35 years, may prompt changes to a federal anti-hacking statute that many view as overly broad, heavy-handed and outdated.

Rep. Zoe Lofgren, D-Calif., on Tuesday introduced a proposal (PDF), nicknamed "Aaron's Law," that would amend the Computer Fraud and Abuse Act (CFAA) to "exclude certain violations of agreements or contractual obligations, relating to internet service, from the purview of certain criminal prohibitions..."

In 2011, Swartz was charged under that provision when he accessed the network of the Massachusetts Institute of Technology to allegedly download more than four million articles from JSTOR, a database of academic journals. He never intended to sell them, only to make them freely available as part of an act of civil disobedience.

"We should prevent what happened to Aaron from happening to other internet users," Lofgren wrote on social news site Reddit, where she announced the proposal. (Swartz was Reddit's co-founder). "Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties. When our laws need to be modified, Congress has a responsibility to act."

Had Lofgren's proposal been law, legal experts agree that it would have at least lessened the charges Swartz was facing and limited the amount of time he could have faced in prison.

Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, told SCMagazine on Wednesday that the digital rights group has long believed that the CFAA contains wording that is too broad and vague, and opens the door for potential prosecutorial overreach. In particular, it states that a person can violate the law simply by exceeding authorized access, which could mean doing something as seemingly trivial as posting false information on one's Facebook profile, a violation of the social networking site's terms of service, or, in the case of Swartz, "downloading files in an efficient way that may be inconsiderate of other people's use of the network."

In addition, the penalties in CFAA are too severe, Fakhoury said. Specifically, its misdemeanor provision is too narrow, and most of the law's possible offenses are classified as felonies, with a maximum punishment beginning at five years in prison.

He said Lofgren's proposal essentially would "codify" a recent decision by the 9th U.S. Circuit Court of Appeals in San Francisco.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.