In another high-profile case, 27-year-old Andrew Auernheimer was convicted under CFAA for attacking AT&T servers and turning over illegally obtained information about iPad users to the gossip site Gawker.com. (Auernheimer and another man, Daniel Spitler, who was also charged in the case, claimed that their goal was to show AT&T that iPad-generated information was not secure in their system.) Auernheimer was threatened with long jail time and eventually pleaded to a 41-month sentence, the same punishment a convicted child pornographer received that month. One can argue about Auernheimer’s motivation, and the blogosphere is full of discussion about whether he should be considered a whistle-blower or a criminal hacker. But either way, the severity of the punishment seems unduly harsh.
The recent movie version of Victor Hugo’s Les Misérables reminded us of the story of Jean Valjean, who was thrown in prison for many years for stealing a loaf of bread. There are still parts of the world in which thieves are punished by having their hands cut off, or where offenses against a religious belief are punishable by death. These stories offend our notions of jurisprudence; in America we have been brought up to understand that a punishment should fit the crime.
Yet the CFAA is written is such an ambiguous and dated way that the punishments it prescribes are often wildly disproportionate to the crime. For example, the CFAA allows prosecutors to pursue the same draconian measures—with punishments ranging from five to 15 years per charge—for acts as benign as violating the terms of a vendor’s service agreements and those as malicious as a concerted effort to break into a computer and steal credit card numbers. The CFAA violations that Swartz, Downey and Auernheimer were charged with were hardly major acts of computer terrorism, yet the law treated them as such.
Aaron’s law would amend the CFAA to clarify the intent of the act. In particular, the bill clarifies the definitions of damages caused by computer crimes, makes penalties proportional to those damages, and disallows the stacking of duplicate charges, which is allowed under the current law. The modified CFAA would more clearly differentiate between serious computer fraud and minor violations such as terms-of-service violations and improper employee behavior without criminal intent. This long-overdue reworking of the CFAA is a first step in the direction of fixing a bad bill.
Computer crime is becoming an increasing danger to our society, and we cannot ignore the need for federal and international laws that allow strong penalties for serious online offenses. But these laws must be written in a way that does not harshly prosecute those whose cyber acts amount to the metaphorical theft of bread. Not only would this be a step toward basic fairness, but it would also enable law enforcement to focus on serious computer attacks rather than nuisance events.
In the long term, changes to the CFAA could deliver another important benefit. Just as overall crime goes down when we lock our doors and cars, so too will computer crime go down when the public more widely provides basic security on their own machines. As Aaron’s law shifts law enforcement’s focus to major crimes, computer users may start to realize that rather than counting on the FBI to protect them, they need to install local, simple solutions. In that way, Aaron’s law would not only bring an outdated law into the 21st century, it could also lead to a growing awareness that the best enforcement against computer crime starts in one’s own home.