The campaign to pass “Aaron’s Law”—or, at least, some version of CFAA reform—is meant to address the law’s shortcomings. But as it stands now, if, like Keys, or Auernheimer, you’re faced with CFAA charges, you need to start by calling a good defense lawyer.
Tor Ekeland is part of a small but growing cadre of attorneys, working, for the most part, on one coast or the other, who specialize in defending against computer crime charges. There are also more lawyers working to prosecute alleged violations of the CFAA. When Orin Kerr, now a professor and expert on computer crime law, began working at the Justice Department in 1998, he was only the 17th lawyer in the computer crime and intellectual property section. Now, there’s at least twice that many, just in Main Justice, that work on computer crime, and dozens more working across the federal government and in US Attorney offices.
While Kerr worked as a prosecutor for the government, as an academic he’s focused on reforming the CFAA and defending a select few clients whose cases shows the flaws he’s identified in the law. When Kerr started teaching in 2001, he focused this area because he thought computer crime issues “were going to be the criminal law subject of my generation,” he says. He wanted to delve into it, see how the issues were going to play out over time. He also saw a chance to influence how the law was going to develop.
“No one was writing about this 10 years ago,” he says. “Other academics thought that was a very odd subject. Ten years later, it’s a major issue.”
* * *
The case that most represents the opportunity to influence the law right now is Auerheimer’s. “The trial is a shitshow,” says Ekeland. “A fight in a pit.” They lost the first round: Last November, a jury found Auernheimer guilty of violating the CFAA, and he’s currently serving a sentence of 41 months. Ekeland was right, though, to think the case could make a difference in how the law is interpreted: Since he took it up, EFF and Kerr have signed on to help with Auernheimer’s appeal.
This case, in particular, is attractive to lawyers because it could change how courts interpret the the CFAA. “I look for major impact in the direction of the law,” Kerr says. “The scholarship is what helps frame the debate but the litigation is what influences the courts.”
At issue in the case is what constitutes “unauthorized access” to a computer. The information that Auerheimer and his co-defendant (who pled guilty) accessed and spread was available on the Internet, without a password—you just needed to know where to look.What they did is close enough to techniques journalists use regularly that, when the subject of a Scripps-Howard investigation threatened to use the CFAA against the news agency, reporters immediately started making comparisons.
The legal issues in Keys’ case, which hasn’t gone to trial yet, are a little more cut-and-dry. He’s indicted under a different section of the law, for “causing damage without authorization to a protected computer”—not for accessing the computer but for, essentially, forcing the Tribune Company to invest in better digital protection. But his case is part of the same story as Auerheimer’s and Swartz’s. These three cases are data points in an argument that advocacy groups like the EFF and academics like Kerr are making: that the CFAA, as it’s written now, makes little sense and, at the whim of prosecutors, can be used to punish people for relatively minor offenses.
Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.