A year after Swartz suicide, reform of anti-hacking law remains elusive

Calls for changing the Computer Fraud and Abuse Act have made little headway

Internet activist Aaron Swartz's suicide last January galvanized calls for an overhaul of the Computer Fraud and Abuse Act (CFAA), used widely by the government to prosecute misdeeds that critics say the law was never intended to address. Yet, one year after Swartz's death, efforts to reform the law appear to have made little headway.

Aaron's Law, a bill that would have put important new restrictions on use of the CFAA by federal prosecutors stalled in Congress last year despite eliciting wide support from privacy and rights advocacy groups. The bill was sent to the House Judiciary Committee's Crime Terrorism, Homeland Security and Investigations subcommittee in June where it languished.

Internet activist Aaron Swartz speaking at the Freedom to Connect conference in Washington in May 2012. (Photo: Peretz Partensky via Wikimedia Commons)

While Swartz's legions of supporters remain intent on reforming the law, the appetite for change in Washington has diminished considerably. A bill introduced by Sen. Patrick Leahy (D-Vt.) earlier this month, seeks to tweak the CFAA, but in a manner that raises new issues, according to some observers.

The furor over the Edward Snowden leaks also diverted attention from CFAA reform, making it uncertain whether change to the act will happen this year.

"Unfortunately, little has changed on the CFAA front," after Swartz's death, said Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation. "Since the Snowden/NSA stories broke, much of the attention has turned to that fight."

Leahy's recently introduced bill may bring more attention and momentum to the fight to scale back the CFAA, but it's to soon to say for sure, Fakhoury said.

Swartz, 26, hanged himself Jan. 11, 2013, apparently over concerns of spending a long time in prison on hacking charges. Federal prosecutors in Massachusetts had indicted Swartz on 13 counts of felony hacking and wire fraud charges in connection with his alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents.

Swartz, a co-founder of the online news aggregation site Reddit and co-author of the RSS 1.0 Web feed specification, downloaded the documents from an MIT server using an account that he had set up with a fake name and email address.

Swartz, who was a fellow at Harvard University at the time, claimed he downloaded the scholarly documents so he could make them available for free on the Internet. The JSTOR documents are typically sold by subscription to universities and other institutions.

Federal prosecutors accused him of breaking provisions of the CFAA, which among other things, makes it illegal for anyone to knowingly access a computer without authorization or to exceed their authorized use of a system.

The law provides for penalties of up to life in prison for hacking. Prosecutors allegedly led Swartz into believing he faced 35 years in prison for his actions -- a prospect that is believed to have spurred his decision to kill himself.

The CFAA, drafted by Congress in 1986, was originally designed to deter criminal hacking for data theft or sabotage. Critics of the law say that its loose definition of key terms, like those related to unauthorized access and exceeding authorized access, have allowed creative prosecutors to apply the CFAA to a broader set of circumstances.

The critics have noted that over the years hardline prosecutors have used the law to criminalize such transgressions as violating a website's terms of service agreements or a company's internal computer use terms.

People have been indicted under the law for creating email accounts and social media profiles using fake email addresses. Others have been banned from logging onto specific websites for not adhering to the site's terms of service agreements. Theoretically at least, the law makes it a felony to provide fake information when filling out a social media profile, the law's critics say.

They also say that even misdemeanors become felonies with disproportionately punitive punishments under CFAA.

Aaron's Law, introduced last June by Sen. Ron Wyden (D-Ore.) and Reps. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wisc.) sought to address some of the issues by deleting certain terms and tightening the definition others.

With its failure to advance, however, change has remained elusive.

"I don't think we are any closer to CFAA reform than we were a year ago," said Eric Goldman, a professor at the Santa Clara University School of Law. "Any reform impetus that was spurred by Swartz's death has probably dissipated."

Some federal courts have begun to make a "brighter distinction" between intruders, who never had authorization to access a third party's computer, and legitimate users, who lost or exceeded their access, he said.

Despite this, "we still need structural CFAA reform, and we need similar changes in overbroad state computer crime laws," Goldman said.

Shawn Tuma, an attorney with the law firm BrittonTuma in Plano, Texas, who has defended clients in CFAA lawsuits, said the real problem is not with the law, but the manner in which prosecutors have applied it.

"I think the CFAA is a powerful and good tool," Tuma said. "But we have seen some horrible abuses [of the law] by government," he said.

The law needs to be revised in order to allow for lesser charges such as misdemeanors, Tuma said. "I don't agree with felony charges for terms of service and contract violations."

But scrapping the law or making wholesale changes to it, as some are calling for, is not a good idea, he said. The CFAA is an effective tool against data theft and sabotage. Businesses need such laws to keep information secure, he said. Congress realizes that, which is why it has been so reluctant to support calls for CFAA reform in a bigger way, he said.

Swartz's death, and the subsequent calls for CFAA reform, have also made both prosecutors and courts more careful in ensuring that the law is applied in the spirit in which it was written, Tuma said.

A coalition of Internet companies and privacy groups plan an online protest against government surveillance of Internet users on Feb. 11, in memory of Swartz.

This article, A year after Swartz suicide, reform of anti-hacking law remains elusive, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gov't Legislation/RegulationCybercrime and Hackingregulationsecuritygovernment

More about EFFElectronic Frontier FoundationGoldmanHarvard UniversityMITMozillaNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts