Though blocked before becoming law, the Aaron’s Law Act helped show that there is widespread support in the IT community and considerable support in legislature for laws that would protect individuals from potential abuses under the Computer Fraud and Abuse Act (CFAA).
If you work in cybersecurity then you need to be familiar with the Computer Fraud and Abuse Act (CFAA), the 1986 law passed to give prosecutors and companies an effective tool to sue and prosecute criminal hacking of protected computer systems. Since most hacking is interstate by its very nature, the federal law is the one that is most commonly used when pursuing hackers of almost any stripe, from those unleashing destructive worms on the internet to those attempting to steal credit card numbers from major retailers.
Although the law has been put to good use putting malicious hackers behind bars, its provisions were drawn widely and remain extremely controversial in information security circles. There are few restrictions on the way that prosecutors can interpret the language in the act describing unauthorized access or exceeding authorized access, particularly when that access is typically governed by enormously lengthy terms of service agreements which are, at best, simple click-throughs, and at worst simply assumed to be in force and never displayed to users.
This has lead to excesses in prosecution of users who were, in some cases, simply making use of systems in unintended, but non-malicious, ways.
In the case of Aaron Swartz, this type of use, and the resulting criminal case against him, resulted in both tragedy and in proposed legislation designed to curb the worst abuses of the CFAA.
A Troubled Youth Turns To Internet Activism To Make A Point
Aaron Swartz was a bright young man from Chicago who grew up in a house filled with computers. His father had founded a software firm in Chicago that created operating system software for PCs. Aaron was a fast learner when it came to coding and internet culture. He was already taking college-level courses by the time he was in 10th grade, and at the age of 14 he participated on the team that created the RSS 1.0 specification.
While attending Stanford, Swartz became involved with the startup mishmash that would eventually evolve into Reddit, the front page of the internet. He dropped out to work on that and other coding projects, becoming well-known and respected in the community in the process.
Like a lot of independent teen prodigies, Aaron didn’t thrive in office cultures, preferring solo work or startup gigs. After Reddit was acquired by Condé Nast, he left to pursue other ventures… but ended up becoming an advocate for open communication and progressive policy.
In this effort, he used the tools he knew best: computers.
A Preview of Things to Come: Massive Downloads of Public Data
In 2008, Swartz used a public library account to gain access to the federal court system information website, PACER (Public Access To Court Electronic Records). Despite the name, PACER required both a subscription and an 8 cents per page charge to view public court records. The technology was outdated and Swartz, among others, found the fee ludicrous for electronic data that could be endlessly duplicated at no real cost.
Aaron whipped together a Perl script on a rented Amazon cloud computing instance that siphoned around 2.7 million documents out of PACER. He turned them over to another activist, who published them.
The FBI investigated Swartz over the incident but ultimately declined to file charges. He wouldn’t be so lucky the next time around.
Federal Charges and Suicide Follow Another Document Dump
Perhaps encouraged by the results of his PACER efforts, Swartz next targeted JSTOR, a repository of digitized academic journal articles. For bandwidth and access, he set up a laptop in a wiring closet at MIT.
The massive dump triggered problems at JSTOR’s servers, though. The organization’s administrators contacted MIT and they cooperatively identified the IP address and location where the download was being made. A video camera was set up, and when Swartz came to check on his project, he was arrested by MIT campus police and the U.S. Secret Service.
JSTOR negotiated a settlement with Swartz, requiring him to turn over the data, but federal prosecutors were unwilling to do much bargaining. They charged Swartz under the CFAA, and offered him a take-it-or-leave-it deal: plead guilty and serve six months in prison.
Swartz decided to leave it in the worst possible way: two days after rejecting the deal, he hanged himself in his Brooklyn apartment.
A Pointless Death Spurs Further Activism
Swartz’s status in the community and the severity of the charges leveled against him for acts that appeared to be relatively innocuous set off a furor. His family and a number of prominent internet privacy and freedom advocates such as Lawrence Lessig and Doc Searls protested the decision of prosecutors to persist with hardline felony charges even as JSTOR and MIT dropped their own cases.
The backlash continued and spread. Although it probably didn’t help the general argument, several hacker groups attacked and defaced websites of organizations related to Swartz’s arrest. Two different movies were made highlighting the case.
Before long, politicians took notice. Three members of the House Judiciary Committee, Republican Darrell Issa and Democrats Jared Polis and Zoe Lofgren, all raised questions about government handling of the case. Massachusetts Senator Elizabeth Warren (D) issued a statement praising Swartz and Texas Senator John Cornyn (R) wrote to the attorney general with questions about how the Justice Department had pursued the case.
Hearings were held on the matter, and Congress didn’t like the answers it received. Even after Swartz’s death, Attorney General Eric Holder testified that the case was an appropriate use of prosecutorial discretion and that he should have served time for his actions.
For Representative Lofgren, it was the last straw. In July of 2013, she introduced House Bill 2454, titled Aaron’s Law Act of 2013.
HB 2454 would modify the CFAA to exclude terms of service violations from the list of potential crimes covered by the act. Although an apparently minor change, this would prevent a great deal of possible abuse by both service providers and prosecutors seizing on technicalities in terms that most users are completely unaware of.
It also offered language to clarify the penalty provisions of the statute to limit enhanced penalties to only criminal acts and only for additional violations of the act itself. This would prevent prosecutors from easily tacking on other charges like making false statements to federal officers and using those to boost jail time arbitrarily.
Finally, it provided additional guidance on how losses would be calculated for the purposes of the act, requiring prosecutors and anyone bringing civil charges under the act to use fair market value. Previously, they were allowed to determine their own figures for the value of data or computer services, which were usually notoriously high.
The bill enjoyed widespread support from a number of civil liberties organizations, including the EFF (Electronic Frontier Foundation) and the ACLU (American Civil Liberties Union).
Unfortunately, the bill stalled in committee the following year. Lofgren reintroduced it in 2015 and it came to a similar fate. Supporters of Swartz and his family believe that back-channel lobbying by moneyed corporate interests are responsible for Aaron’s Law being blocked.