The suicide of Aaron Swartz, the computer programmer and freedom-of-information activist who was slapped with computer intrusion charges that could have imprisoned him for 35 years, may prompt changes to a federal anti-hacking statute that many view as overly broad, heavy-handed and outdated.
Rep. Zoe Lofgren, D-Calif., on Tuesday introduced a proposal (PDF), nicknamed "Aaron's Law," that would amend the Computer Fraud and Abuse Act (CFAA) to "exclude certain violations of agreements or contractual obligations, relating to internet service, from the purview of certain criminal prohibitions..."
In 2011, Swartz was charged under that provision when he accessed the network of the Massachusetts Institute of Technology to allegedly download more than four million articles from JSTOR, a database of academic journals. He never intended to sell them, only to make them freely available as part of an act of civil disobedience.
"We should prevent what happened to Aaron from happening to other internet users," Lofgren wrote on social news site Reddit, where she announced the proposal. (Swartz was Reddit's co-founder). "Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties. When our laws need to be modified, Congress has a responsibility to act."
Had Lofgren's proposal been law, legal experts agree that it would have at least lessened the charges Swartz was facing and limited the amount of time he could have faced in prison.
Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation, told SCMagazine on Wednesday that the digital rights group has long believed that the CFAA contains wording that is too broad and vague, and opens the door for potential prosecutorial overreach. In particular, it states that a person can violate the law simply by exceeding authorized access, which could mean doing something as seemingly trivial as posting false information on one's Facebook profile, a violation of the social networking site's terms of service, or, in the case of Swartz, "downloading files in an efficient way that may be inconsiderate of other people's use of the network."
In addition, the penalties in CFAA are too severe, Fakhoury said. Specifically, its misdemeanor provision is too narrow, and most of the law's possible offenses are classified as felonies, with a maximum punishment beginning at five years in prison.
He said Lofgren's proposal essentially would "codify" a recent decision by the 9th U.S. Circuit Court of Appeals in San Francisco.