"Aaron's Law" would reform the heavy-handed law blamed for Aaron Swartz's death. But tech giants are lobbying to stall reform.
Aaron Swartz’s death galvanized CFAA reform in his name. Image: Paretz Partensky/Flickr
The problematic, out-of-date Computer Fraud and Abuse Act, inspired by the 80’s movie War Games, is a favorite litigious tool of the government and corporations alike, and in recent years has been used to imprison certain hacktivists. Most notoriously, it’s blamed for internet activist Aaron Swartz’s tragic suicide.
Yet every time someone tries to reform the controversial law, corporations step in and stop it. Specifically, Silicon Valley corporations.
Why? Because in its current form, with vague wording that’s prone to abuse, the CFAA makes it very easy for corporate giants to sue people—anyone from employees to users that violate Terms of Service agreements. Efforts to reform the law have been squashed by millions of dollars in lobbying funds from tech companies that don’t want to lose this important legal weapon.
Even when the reform bill is named for someone as influential as Swartz, who significantly changed Silicon Valley culture.
Swartz’s impact on the digital realm is substantial; Creative Commons, RSS, Reddit, and Demand Progress are all Swartz creations. Besides changing how we share, consume, and act upon information on the web, Swartz is credited with stopping SOPA, a bill that if passed threatened to destroy the internet as we know it. After his suicide, Swartz’s parents blamed the US government, who charged their son with CFAA violations that amounted to 35 years of jail time. His felony-worthy crime? Downloading too many academic articles in an act of civil disobedience. Swartz’s death galvanized CFAA reform in his name, with a proposed amendment called “Aaron’s Law.” It was one bright spot in an otherwise bleak time.
In a nutshell, Aaron’s Law seeks to amend the CFAA gently by changing the current problematic language with two edits. First, it would delete the phrase “exceeds authorized access” and second, define what “access without authorization” means. Currently, these two vague phrases are used to charge people with felonies for anything from actually hacking into a database to violating a site’s Terms of Service by lying about their age and gender online. Under the current CFAA, lying about your age is as criminally punishable as stealing someone’s credit card information.
"Tech companies wanted to be able to threaten their employees and contractors with jail time if they misuse company information.”
Aaron’s Law would refocus the CFAA to target more extreme criminal activities like phishing for credit card information and injecting viruses onto servers, which was actually the original purpose of the law before it became a favorite litigious tool for all manner of digital crime. This refocusing of the CFAA would come from defining “access without authorization” to mean “actual unauthorized access to information by circumventing technological or physical controls—such as password requirements, encryption, or locked office doors,” wrote Aaron’s Law co-sponsors in Wired last year.
Congresswoman Zoe Lofgren and Senator Ron Wyden introduced Aaron’s Law last June to much fanfare and positive press—they even got the internet to look over it before they took it to Congress—and now, with the Aaron Swartz documentary Internet’s Own Boy in theaters, I decided to check on the amendment’s progress. Given the internet’s support for the amendment and for all things Swartz, I had high hopes. Shockingly, Aaron’s Law has gone nowhere since last year, and hasn’t even budged from the subcommittee it was introduced in.
In an interview with a Canadian-based news outlet, Internet’s Own Boy filmmaker Brian Knappenberger cited Oracle Corporation and CEO Larry Ellison as the company primarily responsible for the Congressional inaction. Founded in 1977, Oracle sells tech products ranging from computer hardware like graphics cards to database software. Oracle had financial reasons for keeping the CFAA as is, Knappenberger was told, which included the continued ability to go after competitors aggressively.
Calls and emails Motherboard made to various personnel at Oracle Corporation were not returned, and the first phone call to Oracle actually resulted in staff hanging up abruptly. Publicly available lobbying reports filed by Oracle for each quarter since Aaron’s Law was introduced (see Q2, Q3, Q4) confirm Knappenberger’s information. The tech giant spent on average $1.5 million each quarter lobbying Congress to stop Aaron’s Law, in its entirety, in 2013.
The legal team at the Electronic Frontier Foundation also confirmed Oracle as the main corporation stalling Aaron’s Law, but noted it wasn’t the only tech giant actively trying to keep the CFAA in its current, dangerous form.
“It is true that we were told by Congressional staffers that opposition from Oracle, and a tepid response from some other tech companies, including Google, have currently stalled the bill,” wrote Cindy Cohn, the legal director at the EFF. (Google denies taking any stance on any CFAA reform.)
“Oracle believes that it is important that it be able to threaten criminal liability against people who violate its contracts,” she said. “We also heard that other tech companies wanted to be able to threaten their employees and contractors with jail time if they misuse company information.”
By contracts, Cohn here means what employees sign when they go work for a tech company, as well as all ToS customers agree to when they sign up for, or buy, one of Oracle’s products. For example, if you download Oracle’s Terms of Service agreement from the company website and rearranged the text to say “eat a bunch of dicks,” this is a chargeable offense under the CFAA.
If you printed it out and distributed your “Oracle can eat a bunch of dicks” pamphlet at your local subway stop, it could charge you for this too, because your zine has violated two counts of their ToS. This is the same way the government made the leap that Swartz violating an academic journal’s ToS by downloading too many articles was a felony punishable by decades of jail time. The current CFAA makes no distinction between pirating Oracle software and making crude, immature zines, and they like it this way.
Adobe and the Software and Information Industry Association (SIAA) also came up as anti-CFAA reform while conducting research for this article. The SIAA represents hundreds of companies including Oracle, Google, Goldman Sachs and educational companies like Amplify, Teachley, TeacherMatch and the MIT Technology Review.
When the SIAA is not hosting conferences, their main function is to actively lobby Congress. Back in 2012, Senators Chuck Grassley, Al Franken, and Mike Lee were trying to reform the vague language in the CFAA but SIAA lobbyists opposed all “proposals that would limit the definition of ‘exceeds authorized access’ in the CFAA in any way that would prevent its application to violation of contractual obligations or agreements.” In April of 2013 the group, particularly Adobe and Oracle, were still fighting CFAA reform. Oracle’s quite dogged in its anti-CFAA reform stance.
Swartz’s death galvanized CFAA reform in his name, with a proposed amendment called “Aaron’s Law.” It was one bright spot in an otherwise bleak time.
Despite the pushback from Oracle Corporation and hesitation from unnamed tech companies, the supporters and co-sponsors of Aaron’s Law remain positive, saying the proposal has already had a legal impact. Demand Progress’ David Segal wrote in an email, “Aaron's Law doesn't look poised to move just now, but it's served a very important purposehaving it introduced makes it far less likely that the CFAA will be expanded, and we've found ourselves having to fend off expansion efforts at least twice in the last year.”
Aaron’s Law co-sponsor Senator Wyden told Motherboard in a statement he is still working on building support for the amendment and that the current proposal “is sending a clear signal to the Department of Justice and overzealous prosecutors.” He added, “Americans should not be subject to felony prosecution, for example, for violating a Term of Service”—which sadly “wasn’t the case with respect to Aaron.”
Near the very end of the Internet’s Own Boy, George Washington University Law School professor Orin Kerr tells Knappenberger the legal system is “still trying to figure out what’s the line between less serious offenses and more serious offenses” when it comes to computer crimes and misuse and the CFAA. But how can lawmakers figure out where that line is, when they’re influenced by big money fighting every effort to define it?