cloud control

The trouble with Aaron’s Law

The proposed law honoring the legacy of Aaron Swartz is trying to be too many things to too many people
March 18, 2013

On Friday, the American Library Association honored Aaron Swartz, the young Internet activist who committed suicide in January, with its James Madison Award for his work on open access to information. Rep. Zoe Lofgren, a Democrat from California, won the award last year. She was slated to present the new one, the first the organization has awarded posthumously, to Swartz’s family.

Shortly after Swartz’s death–which some speculated was caused by federal charges he faced after downloading large batches of documents from the digital library JSTOR–Lofgren announced that she was beginning work on a law that would protect other Internet users from experiencing the sort of prosecution that Swartz was facing–what Lofgren called “inappropriate efforts undertaken by the US government” and “abuse of power.”

The law would amend the Computer Fraud and Abuse Act, the statute that US prosecutors had used against him. When she posted a first draft of the bill–she called it Aaron’s Law–to Reddit in January, Lofgren wrote that it “could be an important tribute” to Swartz’s work. Friday’s award ceremony was the sort of occasion that would have served as a perfect forum for announcing that she was introducing this bill to Congress–if she was ready to take that step. But in the end, she couldn’t even attend.

As a response to Swartz’s death, Aaron’s Law falls into a special category of legislation–bills premised on the idea never again should what happened to the victim, usually a child, happen again. It’s not obvious that Swartz should be included in that group. As a twenty-something, older adults in his life felt protective of him, but he was also a grown-up who made his own choices.

Right now, Lofgren has proposed a law that may have protected Swartz from the consequences of choices that he made–choices that some of his older friends disagreed with or thought rash, childlike. But there’s also a lot of talk around Aaron’s Law about creating a law that would honor his activism–a law that wouldn’t just protect people like him but also would complete the reframing and reforming the CFAA, an old, creaky law that’s ailing in more ways that one.

This is the problem with Aaron’s Law: It isn’t only about Aaron Swartz. Even if Lofgren’s intention is to open up the CFAA, passed in 1986, in order to perform relatively limited surgery, it’s almost impossible to talk about patching it up without addressing its larger ailments.

Sign up for CJR's daily email

To identify bad guys, the CFAA relies on two types of activities–accessing a computer either without authorization or in a way that exceeds authorized access. But in recent years, both legal scholars and judges have said that this schema catches too many everyday Internet users in its purview to make sense as the trigger for criminal prosecution.

“Back in 1986, maybe this made sense, if you think about what computers were like then,” Jennifer Granick, who leads the civil liberties program at Stanford Law School’s Center for Internet and Society, said at a recent event on the CFAA. “Either you weren’t allowed to use the computer at all, or you were in your workplace, or maybe you were a university student, and you had certain limited rights to use the computer. But you weren’t allowed to rampage through the system.”

But that’s not how computers work today. Every time a person goes on Facebook or checks Gmail or borrows a cellphone, they access a computer system. “The question in this world, where we have so many more interactions with computer services that are offered to the general public is: What does it mean to access without authorization?” Granick said.

In the hands of prosecutors, it can mean almost anything. Bradley Manning, who allegedly provided scores of classified government documents to Wikileaks, faces charges under the CFAA. The law has also been used against people who created email or social media accounts using fake names. The Department of Justice’s interpretation of the law has it that violating a website’s terms of service–those nebulous legal documents we’re always clicking to agree to–counts as a violation. That view, Orin Kerr, an advocate for reform, told Congress last week, “would make criminals out of most computer users.”

In its current draft, Aaron’s Law focuses in on the parts of the law that made the most trouble for Swartz. It would change the CFAA to clarify the meaning of unauthorized access. Violating terms of service would no longer count. This isn’t a radical idea; a panel of appellate judges in California’s Ninth Circuit have already ruled that the CFAA doesn’t cover this particular type of trespass. “If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions–which may well include everyone who uses a computer–we would expect it to use language better suited to that purpose,” the Ninth Circuit’s Chief Judge Alex Kozinski wrote. Aaron’s Law would also provide some protections for the sort of identity-masking that Swartz used when downloading the JSTOR records.

But advocates for reforming the CFAA have also proposed that Aaron’s Law go further. The Electronic Frontier Foundation, for instance, wants even greater protections for people who use “light technical workarounds” to gain access to information–people who want to maintain their privacy even as the websites they visit try to grab more identifying information about them, for instance, or entrepreneurs who want to access and repackage information in a way that a particular website might not already enable. In that vein, a group of startups and technology companies wrote to Congress last week that the CFAA, as currently written, gives “incumbent companies a dangerous and unfair weapon to wield against competitors.”

There’s another big change that many reform advocates are looking for but that, right now, Aaron’s Law does not make–reductions in the penalties associated with the law. Here’s where any reform effort runs into the stiffest resistance: The Obama administration is advocating for the opposite change. At the same time that legal scholars and civil liberties advocates have been worrying that the CFAA is too broad and imposes too-harsh penalties, the government has been worrying that it doesn’t give them enough power to go after and prosecute cybercrime.

At the Congressional hearing on the law last week, witnesses from the FBI and the Department of Justice spoke about the growing threat of computer crime from adversaries like terrorists, foreign spy service, and organized crime groups. The FBI considers “hacktivist groups trying to make a political or social statement through the Internet” among its primary adversaries.

From the government’s perspective, the sort of reforms that Aaron’s Law proposes aren’t ones that would protect purportedly well-intentioned innovators. Rather, they’re reforms that favor criminals–a category into which US prosecutors, at least, would group Aaron Swartz. “I don’t really understand why you want to be protective of the hackers,” one member of Congress told Kerr, who testified in favor of reforming the law. Though some officials might feel protective of a hacker like Swartz, there are plenty of other bad guys on the Internet that they’re worried about.

Disclosure: CJR has received funding from the Motion Picture Association of America (MPAA) to cover intellectual-property issues, but the organization has no influence on the content.

Sarah Laskow is a writer and editor in New York City. Her work has appeared in print and online in Grist, Good, The American Prospect, Salon, The New Republic, and other publications.