It’s almost impossible to talk about the Computer Fraud and Abuse Act (the “CFAA”) without first mentioning Aaron Swartz. Aaron Swartz was a computer programmer and Internet activist who ran afoul of the Justice Department just a few years ago. Police arrested Swartz in 2011, after he allegedly accessed the computer network at the Massachusetts Institute of Technology and downloaded nearly 5 million journal articles from JSTOR, an online database. The case became instantly controversial as Swartz was essentially being charged with accessing an “extraordinarily open” MIT network and, as Swartz-founded Demand Progress put it, “checking too many books out of the library.” In January of 2013, roughly two years after he was arrested, Swartz committed suicide. While we’ll never know exactly why Swartz chose to end his own life, many believe that his decision was due, in part, to the criminal charges levied against him by the government. Swartz was charged with 13 felony counts, including several counts of wire fraud and computer fraud, and faced 35 years of prison time. All of these charges arose under the overbroad CFAA.
After Swartz’s death, there was nearly universal call to reform the CFAA, which was described as outdated, vague, and, in regards to some punishments, redundant. In June of 2013, there was a bipartisan attempt to reform the CFAA when two senators introduced Aaron’s Law, aimed at updating the CFAA to focus more on prosecuting dangerous online attacks and distinguishing common online activities. Aaron’s Law sought to curb prosecutorial discretion, remove redundant punishment provisions, and reform CFAA penalties. Unfortunately, congressional gridlock last summer meant that Aaron’s Law was not passed, and the CFAA remains unchanged today. In fact, there have been moves to strengthen the CFAA’s enforcement to include “attempted hacks, as well as conspiracies to hack.”
Recently, however, the Justice Department stated in congressional testimony that it would be open to reforming the CFAA to make it more difficult for the government to prosecute minor computer infractions.
Recently, however, the Justice Department stated in congressional testimony that it would be open to reforming the CFAA to make it more difficult for the government to prosecute minor computer infractions. As the CFAA stands now, a violation can occur for simply violating a website’s Terms of Service. When a ToS violation is as simple as misstating your age in a dating profile, the CFAA’s harsh criminal penalties hardly seem appropriate. The Justice Department hasn’t made it clear exactly what sort of CFAA reforms they’d like to see, but their openness to the reform is a huge step for the department, which was so aggressive in the Swartz case. It’s possible that the Justice Department is taking its lead from recent court cases. Two recent cases decided by the Ninth and Fourth Circuits found that a ToS violation was not sufficient to violate the CFAA and that the CFAA could not be used to prosecute a violation of an employer’s computer policies, respectively.
While reform for the CFAA may be slow in coming, it’s important that the Justice Department at least recognizes the need for change. The CFAA was enacted in 1986, and cannot possibly keep up with today’s advances in technology. With some calling harsh CFAA punishments the “new War on Drugs,” the government must take care to ensure that the tragedy of Aaron Swartz can never happen again. Tailoring the CFAA to focus on serious, malicious cyber-attacks could help to accomplish just that.