George Washington University Law Professor Orin Kerr seemed a lonely voice at a House of Representatives Judiciary Committee hearing on March 13.
Standing out amid representatives of the Department of Justice, the Federal Bureau of Investigation and the anti-piracy watchdog BSA-The Software Alliance — all extolling the dangers of the digital frontier — Kerr called for loosening America's marquee computer law.
The Computer Fraud and Abuse Act (CFAA), originally passed in 1984, criminalizes routine violations of terms of service — those long legal contracts most Internet users scroll past before accessing sites like Facebook and Twitter.
The 30-year-old law is “remarkably vague,” Kerr, an expert in computer crime, argued, noting it prohibits much of what is today considered typical computer usage.
He said it also allows prosecutors to compound charges, making penalties for computer crimes significantly harsher than their “real world” counterparts.
Put simply, under the CFAA, digital trespassing is dealt much more severe penalties than the physical act of breaking and entering.
At the hearing, which was called by Judiciary Committee Chair Bob Goodlatte for the purpose of “investigating 21st century cyber threats,” Kerr appeared a lone advocate for restraining the CFAA, but things look very different outside the Beltway.
The January 11 suicide of Internet pioneer Aaron Swartz, who had been charged with multiple violations of the CFAA, continues to generate a groundswell of support for the law's reform.
On April 13, thousands are expected to descend on Boston for a “Day of Action” culminating in a rally in support of “Aaron's Law,” which proposes a series of changes to the CFAA.
David Moon, program director at Demand Progress, the activist organization founded by Swartz, says three key changes are needed:
- Decriminalize terms of service violations. “Prosecutors have used their novel interpretations of the CFAA to get people for lying on MySpace as a felony crime, for instance,” Moon said in a recent interview with The Crime Report. “That's unacceptable.”
- Make it clear that “spoofing,” or changing one's Media Access Control (MAC) address —the unique identifier assigned to individual machines on a network— is not grounds for felony charges, in and of itself. In Swartz's indictment, prosecutors highlighted the fact that he spoofed his MAC address.
- Rein in penalties.
“In our view, the penalties are just out of whack,” Moon said.
He added that Swartz's experiences during pre-trial had made him particularly concerned with “the criminal justice system overall, everything from mass incarceration and prosecutorial abuse, to the sort of broader implications of harsh penalties.”
Swartz was arrested in January 2011 after utilizing the famously “open” wireless network at the Massachusetts Institute of Technology (MIT) to download four million JSTOR articles.
Although JSTOR declined to press charges, Swartz's trespasses at MIT — both the physical, which involved unauthorized access to a wiring closet, and the digital violation of the college's terms of service — netted him charges that could have carried up to three decades in prison.
Since his suicide, prosecutors have revealed they offered a plea deal that would have limited Swartz's prison time to several months. But outrage at the harshness of his potential punishment has persisted.
Threat of Prison
For many, the fact that gaming an open network could give prosecutors enough ammo to negotiate using prison sentences that most would associate with violent crimes was cause enough for alarm.
“We should be deeply concerned about a system in which official discretion reigns almost unfettered where it matters most,” University of Tennessee law professor Glenn Harlan Reynolds wrote in an essay a week after Swartz's suicide.
Soon after, Rep. Zoe Lofgren (D-California) began drafting “Aaron's Law,” which would weaken the CFAA's ability to penalize terms of service violations; and Senators John Cornyn (R-Texas) and Al Franken (D-Minnesota) sent letters to Attorney General Eric Holder denouncing the “remarkably aggressive” prosecution.
But before “Aaron's Law” can come to a vote, it has to get through the House Judiciary Committee, a body that at the moment seems more concerned with strengthening the CFAA than loosening it.
Confusion and Concern
At Kerr's appearance, an exchange with Rep. Jim Sensenbrenner (R-Wisconsin), chairman of the Crime, Terrorism and Homeland Security Subcommittee, illustrated the mix of confusion and concern with which many legislators approach CFAA changes.
“Now it's obvious if somebody got into the mechanical room at Space Mountain in Disney World and you know, pulled a pin on that, and all of a sudden the cars, you know, stopped abruptly and if nobody was injured, maybe it was lucky—but how about a cyber trespass that would have just as much damage, and that would be a violation of a term of service?” Sensenbrenner asked Kerr.
“Shouldn't that be criminalized as well?”
It already is, Kerr explained, noting that intentionally causing damage to a computer is illegal without the additional terms of service provisions included in the CFAA.
Sensenbrenner seemed unconvinced.
Last week, his subcommittee began considering an update to the CFAA that will provide plenty to talk about at Aaron Swartz's “Day of Action.”
Instead of weakening the CFAA, the proposal would turn violations of the CFAA into a “racketeering” offense. If passed, those charged with crimes similar to Swartz's could face significantly more than 35 years in prison.
Taren Stinebrickner-Kauffman, an Internet activist who is Swartz's former-girlfriend and one of the most outspoken critics of his prosecution, decried the proposed changes in a recent blog post.
“It's an affront to Aaron's memory and the countless concerned Internet users who've cried out since his passing,” wrote Stinebrickner-Kauffman, who will be speaking at the April rally.
Graham Kates is deputy managing editor of The Crime Report. He welcomes comments from readers. He can be found on Twitter, @GrahamKates.