The death of our friend Aaron Swartz has resulted in an unprecedented outpouring of grief, along with a strong commitment to use this tragedy to make some of the change Aaron wanted to see in the world.
At EFF, Aaron's death created two imperatives on issues that are close to our hearts. The first is to continue his work to open up closed and entrenched systems that prevent ordinary people from having access to the world’s knowledge, especially the knowledge created with our tax dollars. More on that soon.
The second imperative is to attack the computer crime laws that were so horribly misused in the prosecution of Aaron. That is the focus of this post.
In the spirit of Aaron’s commitment to transparency, this process should be as open as possible and so we’re showing our work earlier than we otherwise would. We’re still working on this and our initial thoughts are incomplete and subject to revision. Please join the conversation and let us know what you think and if you have other proposals or changes to the language.
So with that caveat, here are our initial suggestions to update the Computer Fraud and Abuse Act (CFAA) and wire fraud law to address the some of the key problems Aaron faced. We would like to thank ACLU, CDT, and Jennifer Granick of Stanford's Center for Internet and Society and others who helped us draft these proposed changes, although given the press of time, we don’t have endorsement from anyone but EFF yet.
The initial changes we propose address two problems. First, they ensure that when a user breaks a private contract like a terms of service or other contractual obligation or duty, the government can't charge them criminally under the CFAA or wire fraud law—two statutes the Justice Department used against Aaron. This change codifies good court rulings that already exist in the Fourth (PDF) and Ninth Circuits, but which didn’t reach Aaron’s actions in Boston (in the First Circuit).
The second set of changes ensures that no criminal liability can attach to people who simply want to exercise their right to navigate online without wearing a digital nametag. It ensures that changing a device ID or IP address cannot by itself be the basis of a CFAA or wire fraud conviction. This would not only have helped Aaron, but also ensure that criminal liability doesn't reach people using these techniques for software and security testing that protect the rest of us. Further, the change would facilitate anonymous speech and enhance users' privacy on the Internet, two things we know Aaron cared about.
These suggestions expand on Zoe Lofgren's terrific start for Aaron’s law.
This proposal doesn't include suggestions for fixing the heavy penalties in the CFAA, something that is also sorely needed. Our thinking there is in the works. In the short term, Orin Kerr, a professor at George Washington Law School who has long written about the need to reform the CFAA has also introduced proposed changes. We disagree with some of Professor Kerr's thoughts on the prosecution against Aaron, but he has proposed some changes to the CFAA that we like. Professor Kerr notes the CFAA punishes too many low-level offenses as felonies, and says the statute should be changed to make more of them misdemeanors. He also proposes repealing the computer fraud provision of the CFAA because it just punishes conduct already criminalized elsewhere in the law.
These ideas are a few small branches in a giant tree of potential reform. And it's a tree that needs to have strong roots. This root system is not just the larger Internet community, but the millions of people who saw Aaron as a principled person who was fighting for what he believed in and who faced an unjust punishment as a result.
We invite you to join the conversation about reforming the CFAA as one step toward making good change out of this tragedy. Right now it’s on Reddit, but it should move to the halls of Congress soon. We will be there, and we’ll need all of you there, too.