SA Forum is an invited essay from experts on topical issues in science and technology.
This year the U.S. Congress is considering changes to the Computer Fraud and Abuse Act (CFAA), the primary law that governs cyber crime and fraud on the Internet. The act, originally passed in 1986, was aimed at providing a measure of security for computers against unauthorized access to large, time-shared computers. Back then the perceived threat was serious computer hacking—people breaking into the banking system or the nuclear control system (remember the movie War Games?). The act has been extended many times since, including as part of the post-9/11 Patriot Act. Now, in response to a reported increase in cyber attacks coming from abroad, many members of Congress want to again expand the CFAA, adding to the stringency of the law with the intent of further protecting America’s computing resources.
One bill, however—“Aaron’s Law,” introduced in June by Rep. Zoe Lofgren (D–Calif.) and Sen. Ron Wyden (D–Ore.)—would appear to go in the other direction. Aaron’s law removes some computer activities from coverage under the act and limits the prosecution of certain CFAA violations. And although that might seem counterintuitive in a time of increased cyber crime, it is in fact a necessary reform to a deeply flawed and outdated law.
Aaron’s law is named for Aaron Swartz, the Internet activist who committed suicide in January. Before his death at age 26, Aaron contributed much to society, both technically and politically. He helped develop the RSS syndication format used for Web-based news feeds, the social news site Reddit and the Creative Commons codes now used to help promote the online sharing of Web content. Politically, he was well known for his role in founding the group Demand Progress, one of the more effective voices against legislation that many believe would have significantly limited online free speech and innovation. One of his causes was “Open Data.” He realized that sitting in many computers was a lot of inaccessible information that, in principle, anyone should be able to access. He was committed to taking publicly funded data—including the results of government-funded scientific research—and making it available on the Web for easy access.
That may have been what he was trying to achieve when, in January 2011, he downloaded a large number of articles from the academic-document archive JSTOR onto his laptop. Aaron had a JSTOR account, allowing him access to the work, but he arguably abused that access by setting up a computer at Massachusetts Institute of Technology and downloading articles in bulk over a period of weeks. He was originally arrested on a minor charge, and JSTOR decided not to pursue the case. Unfortunately, federal prosecutors did not drop the charges. Under the CFAA, Aaron was charged with 11 felony violations and faced up to 35 years in prison. Two years later, as the trial approached, he hanged himself in his Brooklyn apartment
Swartz is not the only victim of apparent overprosecution under the CFAA. Keith Downey, a 28-year-old programmer from Florida, is accused of attacking PayPal’s server to protest its termination of a donation page for Wikileaks. Whether this was mischief, crime or civil disobedience seems an appropriate question for the courts to address. But the 15-year prison sentence Downey currently faces is out of proportion. To put this in perspective, 15 years is the same sentence recently given to one criminal convicted of child sex abuse and another of gang-related homicide.