Compliance Management, Government Regulations, Network Security

The great divide: Reforming the CFAA

Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.

Eight days after Aaron Swartz hanged himself in his apartment, the woman he wanted to marry walked to the podium in the Great Hall at Cooper Union in Manhattan – the same stage where, in 1860, President Lincoln delivered one of his most memorable addresses decrying the spread of slavery – to not only mourn her partner's unthinkable death and examine his legacy, but to describe how he himself was a captive – a prisoner, she said, of the “deeply dysfunctional” U.S. criminal justice system.

“Last Friday, he faced the prospect of yet another three months of uncertainty and ups and downs and being forced by the government to spend every fiber of his being on this damnable, senseless trial with no guarantee that he could exonerate himself at the end of it,” Taren Stinebrickner-Kauffman told a plaintive crowd, the sadness in the packed auditorium clearly palpable even to someone who had never met Swartz and only was marginally familiar with his work. “He was so scared and so frustrated and so desperate, and more than anything else, just so weary. I think he just couldn't take it another day.”

Nobody knows for sure what ultimately catalyzed Swartz, who was 26 when he died and had reportedly battled depression for many years before that, to tighten the noose. But his passing was equal parts tragic, troubling and energizing. Since the suicide of Swartz, the Reddit co-founder, RSS creator and political activist, his circumstance has become a cause célébre for critics of a federal computer crime law they believe has run amok. His death quickly garnered the attention of some members of Congress – Swartz was well-known in political circles for his work to end the controversial Stop Online Piracy Act (SOPA), which was shelved last year. 

It was during that campaign that he met Rep. Zoe Lofgren, a Democrat who represents California's 19th congressional district. Lofgren, also a SOPA opponent, was impressed by Swartz. And in the days following his death, she unveiled, fittingly on Reddit, a draft of “Aaron's Law,” which seeks to reform and update the 29-year-old Computer Fraud and Abuse Act (CFAA), the federal anti-hacking statute under which Swartz was prosecuted – and, many believe, bullied.

“I met him along with a lot of other technologists who were incredibly smart and committed to public service,” Lofgren recalls. “[When I heard he died], I felt very badly for him, his family, as well as the country."

Swartz one day dreamed of perhaps working in the White House, believing that his prodigious technical ability and creative genius could translate into crusading for policy reform. He was particularly interested in topics that exploited the downtrodden and the marginalized, issues like health care, financial corruption and the drug war. Among his many pursuits, Swartz had served as an intern at Rep. Alan Grayson's office, where his colleague at the time, Matthew Stoller, would later remember how Swartz, as a developer, “broke politics down and systematically attempted to understand the system. Aaron learned, tried, gabbed and then built.”

Yet, in a cruel twist of irony, the very system he sought to join ultimately worked against him, the victim of what many believe is an outdated, draconian even, law: the CFAA. Swartz had faced decades in prison, but even if he had agreed to plead guilty and accept a minimal sentence, perhaps as little as a few months in prison, he still would have carried with him the stigma of felon for the rest of his life, something that would forever bar him from holding an influential policy position within the Beltway. To those who knew him well, that was a crushing prospect.

The story of Aaron Swartz's aggressive prosecution by the U.S. attorney's office is a well-known one. In 2011, he allegedly broke into a wiring closet to access the computer network at the Massachusetts Institute of Technology. Then, thanks to an automated script he wrote, he downloaded millions of academic journals from subscription-based academic research repository JSTOR, which he believed should be lifted from corporate control and into the domain of the public – for free. He was slapped with 13 felony counts, 11 under the CFAA.

But some believe such a heavy-handed prosecution was exactly the plan all along for a boat-rocking activist like Swartz. Friends, professors and civil liberties groups say he personified the growing target of prosecutorial abuse and overreach, a culture sprouted amid a government and corporate state committed to silencing online dissent to ensure it can operate in secrecy and for profit, without worries that a coder who preferred graphic T-shirts to expensive suits could ever beat them at their own game. In many ways, Swartz was a member of a two-tiered justice system, and he sat on the wrong side. As his mentor and friend Larry Lessig, a law professor at Harvard, would write soon after his death: “For remember, we live in a world where the architects of the financial crisis regularly dine at the White House –  and where even those brought to ‘justice' never even have to admit any wrongdoing, let alone be labeled ‘felons'.”

Coincidentally, perhaps, Swartz was indicted amid a brazen spree of compromises at the hands of hacktivist groups Anonymous and offshoot LulzSec, which sought to showcase reprehensible corporate behavior and embarrass major companies by defacing websites and exposing data by the terabyte.

A call for reform

Surprising as it may be, the CFAA originally was crafted in 1984, prompted in part by the release of the film War Games, starring Matthew Broderick, which stoked U.S. government fears of the vulnerability of its defense infrastructure. The law has been expanded no fewer than eight times since, each time its scope broadened as more computers came online and the world increasingly became connected by the internet. The penalties are severe, too: Offenders can face up to 20 years in prison for each violation.

“Our lawmaker and the DoJ is a little out of touch,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a digital advocacy group. “To the extent they're aware of what goes on online, they're maybe a little nervous about it. There's the great cyber crime panic going on right now, and I think jacking up the CFAA is one of the responses to that.”

But the EFF says the CFAA does little to curb the threat of espionage and fraud emanating from countries like China, Iran and Russia, which often is used as justification by Congress to tighten computer crime laws here. Writing on the EFF's blog, policy analyst Mark Jaycox said he is aware of only a “handful” of extraditions under the CFAA. “Many foreign hacks—like the ones revealed in the recently released Mandiant report [on a Chinese military unit that stole U.S. intellectual property] — are not private individuals, but are state or quasi-state sponsored citizens…. And the U.S. will find it hard, if not impossible, to extradite [them]. In the case of China and Russia, there are strong legal prohibitions that bar the government from handing over a citizen to another country.” That can apply even to its closest allies. The United States had been trying for years to force accused U.S. government hacker Gary McKinnon to face trial here, but the British home secretary in December withdrew an extradition order against him. 

But Swartz was afforded no such luxury. The reason he faced more than three decades in prison was because of language in a section of the CFAA that states that a person can be held liable for violating the law if they've “knowingly accessed a computer without authorization or [exceeded] authorized access.” Prosecutors could interpret this to mean an infraction is as seemingly innocuous and common as violating a company's computing policy (visiting YouTube, for example) or a website's terms of service (for instance, lying about one's age when setting up a Facebook account) – possibilities that didn't exist when the law was passed. Swartz's indictment partially relied on this provision. 

Lofgren proposed her first idea for a reform to the bill – which The New Yorker called “the worst law in technology” – in January, days after Swartz's death. Two weeks later, after consulting the Reddit community and other IT professionals, she released a revised version of the draft, with some additional caveats, including protection for web users and researchers who seek to defend their privacy, in addition to adding language specifying that a violation can only occur if someone purposefully evades security measures, such as password controls or a firewall.

“Like the first draft, this revised draft explicitly excludes breaches of terms of service or user agreements as violations of the CFAA and wire fraud statute,” Lofgren wrote on Reddit. “This revised draft also makes clear that changing one's MAC or IP address is not in itself a violation of the CFAA or wire fraud statute. In addition, this draft limits the scope of CFAA by defining ‘access without authorization' as the circumvention of technological access barriers. Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other internet users from outsized liability for everyday activity.”

Lofgren says the tweaks to the CFAA aren't a rewrite, and are by no means meant to water down the bill's enforcement ability. “My thought is that we should make changes to the statute so that if someone did something like Aaron, they would not be facing a 35-year prison sentence,” she says. “On the other hand, there are in fact cyber criminals. I am not of the view that cyber crime is non-existent.”

The congresswoman is reticent to make the issue political. She does not want to accuse the U.S. attorney's office of overreach and misconduct, preferring to leave that investigation up to the House's Committee on Oversight and Government Reform. “It seemed to me the positive role I could play was to examine the statute itself and learn what was in it that could allow a prosecutor to file 13 felony charges for what was an act of civil disobedience,” she says.

The EFF, among other civil liberties groups, has joined Lofgren in her fight to rework the bill. In addition to the alterations that Lofgren seeks, the EFF is hoping to revamp what it calls the CFAA's harsh penalty scheme, which “makes first-time offenses for accessing a protected computer without sufficient authorization...punishable by up to five years in prison each.”

 “We want the law to be proportionate and want that to apply to everyone,” Fakhoury says. “Whether you are a legitimate researcher or you're the worst credit card scammer, that will have a net benefit for everyone.”

One of the most outspoken critics of the CFAA is a man who was recently jailed because of it. In March, Andrew “Weev” Auernheimer, a brash, self-proclaimed internet troll, was sentenced to 41 months in prison following his conviction last year for discovering and exploiting a weakness on the website of AT&T that allowed him and a co-conspirator to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities. 

Like Swartz, Auernheimer never sought to profit off the information he found. To the contrary, his intention only was to shame the nation's largest telecom company because of its shoddy security practices. And like Swartz, he didn't use any classic hacking techniques, like brute force or SQL injection. But make no mistake, the two are not exactly comparable – Auernheimer never balked over the possibility of getting prison time. In fact, he embraced it. 

From prison at the Metropolitan Detention Center in Booklyn, Auernheimer has been actively tweeting, thanks to a friend who is posting his remarks for him after she receives them via email. He said he is committed to abolishing the CFAA: “You're lucky that I'm a poor [expletive] from Arkansas. Brawling in prison is my idea of fun. I have the strength to fight this.” In another Twitter diatribe posted a couple of days earlier, Auernheimer said existing wire fraud statues already address cyber crimes, and it's unfair that there is a special law for computer infractions. 

“The CFAA doesn't hinder Romanians, Estonians, Chinese or the RBN [Russian Business Network]” he tweeted. “It only hurts researchers and activists...The idea one should be punished extra for using a computer is backward. Unfortunately, the billions of [dollars of] theft and money laundering finance industry criminals do with paper goes unpunished.” Instead, he said, lawmakers should focus their attention on encouraging the development of more robust IT systems, ones that aren't prone to common vulnerabilities, like memory corruption.

Expanding the law

But while many want to see the CFAA amended, or extinguished altogether, a class of security professionals, prosecutors and lawmakers has expressed trepidation over any efforts to diminish its enforcement effectiveness. With security breaches becoming a mainstream norm, it's easy to understand how some, particularly those vested with deflecting attacks and guarding valuable data, can get a little spooked.

“I see hundreds and hundreds of attempted break-ins every day, and frankly, I don't think we have a handle on them as it is,” says Brett Glass, owner of Lariat, a small internet service provider based in Laramie, Wyo. “I think weakening your legal recourse, we have to seriously consider whether we want to.”

Others, such as Nicole Muryn, a lobbyist representing BITS, the technology arm of the Financial Services Roundtable, says her organization actively supports maintaining the CFAA in its current form, considering its member banks represent a significant target for cyber attackers. That includes keeping intact controversial sections of the law, such as the terms-of-service component, which she says is necessary considering the growing usage of social media accounts by financial institutions. “We would prefer that it would stay the way the law is written now,” she says.

Alexander Southwell, who served as a U.S. attorney in the Southern District of New York from 2001 to 2007, says the deterrence that the CFAA provides should not be underestimated, particularly when one is referencing the threat posed by so-called malicious insiders. Richard Downing, deputy section chief for computer crime and intellectual property at the DoJ, agrees. He told the House Judiciary Committee in 2011 that “limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis.”

However, the EFF's Fakhoury disagrees, arguing that existing laws such as those covering the misappropriation of trade secrets, already covers those acts.

And what about someone like Aaron Swartz, who was not seeking to defraud his employer, but merely wanted to strike back against a for-profit academic system with which he disagreed? Or what about Lori Drew, whose intentions may have been abominable, but who never actually hacked anything?

“That's really a debate about prosecutorial discretion, not about the statute,” says Southwell, now a partner at New York-based law firm Gibson, Dunn and Crutcher, and an adjunct professor of law at Fordham University. “My personal view is there is an appropriate balance struck now. There could be some clarity brought to the law, but I'm not sure it needs a wholesale contraction...I have more faith in prosecutorial discretion of judicial interpretation than perhaps others.”

Never mind a contraction, there are efforts underway within the House Judiciary Committee to actually pass legislation to expand the CFAA, keeping in place the sections that Lofgren and company want to see reformed, while stiffening penalties, expanding “conspiracy” thresholds and adding language that conflates certain forms of hacking with racketeering. The language is similar to a 2011 effort backed by President Obama and the Department of Justice, and which almost turned into law.

So, just like that, Lofgren now finds herself in a tug-of-war that surely would make Aaron Swartz's blood boil, among others who believe they are being unfairly persecuted under the CFAA

And, who knows, maybe Abraham Lincoln as well. 

Photo of Zoe Lofgren by Jay Westcott/NewSport; Photo inset of Aaron Swartz by Daniel J. Sieradski/Zuma; Photo of Aaron Swartz funeral: © Michael Tercha/MCT/

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.