Aaron Swartz was a widely-respected and celebrated political activist, computer programmer and entrepreneur who founded Demand Progress and co-founded Reddit. In 2011, Swartz was charged with 13 felony wire fraud and hacking charges for mass-downloading academic articles he had the legal right to access through his institution. Under sections of the Computer Fraud and Abuse Act (CFAA), he faced a prison sentence of up to 35 years – all for violating a terms-of-service agreement.
After Swartz’ death on January 11, 2013, Rep. Zoe Lofgren (D-Calif.) worked with Senator Ron Wyden (D-Oreg.) to gain support for a bill to pass Aaron’s Law, an amendment to the CFAA that would prevent overzealous prosecution. Rep. Lofgren explained that the charges against Swartz were due, in large part, to the sweeping and generalized language of the CFAA and wire fraud statute. The CFAA, is technically capable of criminalizing a number of “everyday” activities, allowing for severely enforceable penalties. Aaron’s Law would address fundamental problems with the CFAA by:
- establishing that breaches of terms of service, employment agreements, or contracts are not automatic violations of the CFAA. The amendment modifies the CFAA’s criminalization of actions that “exceed authorized access” to those involving “access without authorization” – gaining unauthorized access to information by circumventing technological or physical controls such as password requirements, encryption or locked office doors. Hack attacks such as phishing, injection of malware or keystroke loggers, denial-of-service attacks, and viruses would therefore continue to be fully prosecutable.
- eliminating redundancy that enables an individual to be punished multiple times through duplicate charges for the same violation. This streamlines the law without creating a gap in protection against malicious hackers.
- bringing greater proportionality to CFAA penalties. Currently, the CFAA’s penalties are tiered, and prosecutors have wide discretion to ratchet up the severity of the penalties in several circumstances, leaving little room for nonfelony charges under CFAA (i.e. charges with penalties carrying less than a year in prison). Aaron’s Law would ensure that prosecutors cannot seek to inflate sentences by stacking multiple charges under the CFAA, including state law equivalents or non-criminal violations of the law.
The bill was unfortunately tabled by House Judiciary Committee Chairman Rep. Bob Goodlatte (R-Va.) before it could reach a vote. Records show that large corporations like Oracle funneled millions of dollars into lobbying against Aaron’s Law. The extreme interest of large tech companies, combined with a lack of broader interest from Representatives’ constituents, enabled the bill to quietly die on Rep. Goodlatte’s desk.
In 2015, Rep. Lofgren, Senator Ron Wyden (D-Ore.), and Senator Rand Paul (R-Ky.) began a second, bipartisan effort to pass Aaron’s Law. “Violating a smartphone app’s terms of service or sharing academic articles should not be punished more harshly than a government agency hacking into Senate files,” Wyden said. “The CFAA is so inconsistently and capriciously applied it results in misguided, heavy-handed prosecution.” In spite of bipartisan support from Reps. Jim Sensenbrenner (R-Wis.), Mike Doyle (D-Pa.), Dan Lipinski (D-Ill.) and Jared Polis (D-Colo.), it was again tabled, removing the chance for the law to move forward.
Aaron’s Law has not yet been reintroduced for a third time because the bill needs to garner much more public support than it currently has to stand a chance of passing.