Congress’ New CFAA Draft Could Have Put Aaron Swartz in Jail For Decades Longer Than the Original Charges

Deeplinks 2013-03-30

Summary:

Law professor and historian Tim Wu has called the Computer Fraud and Abuse Act (CFAA) the “worst law in technology.” The Ninth Circuit Court of Appeals has described the government’s interpretation of it “expansive,” “broad,” and “sweeping.” And Orin Kerr, former federal prosecutor and law professor, has detailed how the government could use it to put "any Internet user they want [in jail]."

So it's pretty surprising to see that now, instead of reining in the CFAA’s dangerous reach, the House Judiciary Committee is floating a proposal to dramatically expand it and is reportedly planning to rush it to the floor of Congress during its April “cyber” week.

Take action to fix computer crime law.

The CFAA, of course, is also the computer trespass law that prosecutors misused to hound the late activist and Internet pioneer Aaron Swartz. Aaron’s tragic death resulted in outrage across the political spectrum and led to calls for real reform that would bring the law back to its reasonable purpose of criminalizing malicious computer intrusions, rather than handing out draconian penalties for minor infractions and turning terms of service violations into criminal acts.

So why is the House Judiciary Committee floating a proposal that goes so clearly against the public opinion? Their reasoning is almost hard to fathom.

Techdirt’s Mike Masnick posted a new draft and analysis of the CFAA expansion bill on Monday. The changes are nothing short of outrageous and should brand supporters in Congress as out of touch and downright hostile to the Internet. Users concerned about Internet rights should contact their representatives immediately.

Perhaps the most disturbing aspect: instead of reducing the penalties for crimes that don’t cause much economic damage, it dramatically increases them. For example, Aaron faced four charges under section (a)(4) of the CFAA, which had a maximum sentence of five years each. EFF, Orin Kerr and many others have proposed removing (a)(4) entirely since it creates double penalties for the same behavior criminalized elsewhere in the law.  What does the new draft do? It increases the maximum under (a)(4) to twenty years for each charge. As Internet law scholar James Grimmelmann remarked Monday, the thought of Aaron facing more time is “simply obscene.”

The new draft also now turns CFAA violations into a “racketeering” offense, adding yet another layer of charges the DOJ can add to the charge sheet of a hacker it doesn’t like. It also adds a broad conspiracy charge that carries the same penalty for actually committing an offense. Essentially, talking about committing computer crimes without actually doing so can land you in prison.

Most troublingly for innovation and for user empowerment, the bill “clarifies” its definition of “exceeding authorized access” to include  accessing information for an “impermissible purpose”—even if you have permission to access the information in the first place. That codifies the misguided idea that any terms of service violation is indeed a crime, effectively undoing good rulings in the 9th and 4th Circuits.

The CFAA already reaches computer intrusions, serious denial of service attacks, password misuse and attacks on national security computers.  Those provisions are important. The Department of Justice has more than enough tools it needs to go after real criminals using this law and a host of others—including criminal copyright, trade secrets, identity theft and other laws. It should use those tools rather than coming back to Congress for more, especially now that it's just been caught misusing the law so egregiously in Aaro

Link:

https://www.eff.org/deeplinks/2013/03/congress-new-cfaa-draft-could-have-put-aaron-swartz-jail-decades-longer-he-was

From feeds:

Fair Use Tracker » Deeplinks
CLS / ROC » Deeplinks

Tags:

Authors:

Trevor Timm

Date tagged:

03/30/2013, 14:27

Date published:

03/27/2013, 12:16