Yesterday, Representative Zoe Lofgren introduced on Reddit a bill to improve the Computer Fraud and Abuse Act in the wake of Aaron Swartz's suicide during the pendency of his prosecution for violating various provisions of that law and of the Wire Fraud Act. I've attached a redline of how her bill would change the current law.
This is a welcome and much needed step from a great legislator. There are obvious co-sponsors for this effort, including Darrell Issa (R-Calif) who knew Aaron, and spoke out eloquently about the potential for abuse when prosecutors use long maximum sentences to incentivize guilty pleas from individuals charged for borderline conduct under vague statutes:
I’ll make a risky statement here: Overprosecution is a tool often used to get people to plead guilty rather than risk sentencing,” Issa said. “It is a tool of question. If someone is genuinely guilty of something and you bring them up on charges, that’s fine. But throw the book at them and find all kinds of charges and cobble them together so that they’ll plea to a 'lesser included' is a technique that I think can sometimes be inappropriately used.
Amen.
The bill is a good start, but with small adjustments, it could better meet the twin goals of (1) ensuring that noone goes to prison for terms of service violations and (2) preventing the next prosecution of someone like Aaron Swartz.
The purpose of the CFAA is to prohibit when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access. This very basic idea has been distorted in part because of a poorly phrased definition of "exceeds authorized access". 18 USC 1030(e)(6). That definition says:
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
Some Circuits have held that the word "so" means that the computer owner can use the CFAA's civil and criminal provisions to enforce all sorts of rules about when, how and why computer users access, use and distribute stored information. This phrasing is what's lead to the problem of terms of service prosecutions, as well as cases holding that disloyal employees are federal felons. A simple and critical way to fix the problem is to delete the word "so". Congress could also add the word "otherwise" in front of access, to make clear that if you are allowed to access your work files from your office, or download journal articles while on the MIT network, its not a crime merely to access those files when you are working from home, or to download those same articles with an automated script. This fix would look something like this:
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not otherwise entitled to obtain or alter, and does not include access in violation of an express or implied agreement, contractual obligation, acceptable use policy, terms of service agreement, duty of loyalty or other non-code based restriction.
This formulation doesn't interfere with trade secret protection, copyright or any other law that protects against misuse of information. It just ensures that the mere fact that information is stored on a computer doesn't give the computer owner plenary rights to control how otherwise authorized users may interact with that data, on penalty of prison.