In its current draft, Aaron’s Law focuses in on the parts of the law that made the most trouble for Swartz. It would change the CFAA to clarify the meaning of unauthorized access. Violating terms of service would no longer count. This isn’t a radical idea; a panel of appellate judges in California’s Ninth Circuit have already ruled that the CFAA doesn’t cover this particular type of trespass. “If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose,” the Ninth Circuit’s Chief Judge Alex Kozinski wrote. Aaron’s Law would also provide some protections for the sort of identity-masking that Swartz used when downloading the JSTOR records.
But advocates for reforming the CFAA have also proposed that Aaron’s Law go further. The Electronic Frontier Foundation, for instance, wants even greater protections for people who use “light technical workarounds” to gain access to information—people who want to maintain their privacy even as the websites they visit try to grab more identifying information about them, for instance, or entrepreneurs who want to access and repackage information in a way that a particular website might not already enable. In that vein, a group of startups and technology companies wrote to Congress last week that the CFAA, as currently written, gives “incumbent companies a dangerous and unfair weapon to wield against competitors.”
There’s another big change that many reform advocates are looking for but that, right now, Aaron’s Law does not make—reductions in the penalties associated with the law. Here’s where any reform effort runs into the stiffest resistance: The Obama administration is advocating for the opposite change. At the same time that legal scholars and civil liberties advocates have been worrying that the CFAA is too broad and imposes too-harsh penalties, the government has been worrying that it doesn’t give them enough power to go after and prosecute cybercrime.
At the Congressional hearing on the law last week, witnesses from the FBI and the Department of Justice spoke about the growing threat of computer crime from adversaries like terrorists, foreign spy service, and organized crime groups. The FBI considers “hacktivist groups trying to make a political or social statement through the Internet” among its primary adversaries.
From the government’s perspective, the sort of reforms that Aaron’s Law proposes aren’t ones that would protect purportedly well-intentioned innovators. Rather, they’re reforms that favor criminals—a category into which US prosecutors, at least, would group Aaron Swartz. “I don’t really understand why you want to be protective of the hackers,” one member of Congress told Kerr, who testified in favor of reforming the law. Though some officials might feel protective of a hacker like Swartz, there are plenty of other bad guys on the Internet that they’re worried about.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.