17 Jan 2013

CFAA may be Amended in Light of Swartz’ Suicide

The US Computer Fraud and Abuse Act (CFAA) that enforces anti-hacking punishments may face revision in light of Reddit co-founder Aaron Swartz’ suicide, following a conviction that would have landed him 35 years in jail.

The proposal, entitled "Aaron's Law”, was introduced by California Rep. Zoe Lofgren, who believes that “certain violations of agreements or contractual obligations, relating to internet service, from the purview of certain criminal prohibition” should be removed from CFAA.

Although the files Swartz accessed and downloaded from MIT’s database were only intended to be distributed freely and not sold for profit, current law condemns any unauthorized access.

"We should prevent what happened to Aaron from happening to other internet users," Lofgren said on social news site Reddit. "Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties. When our laws need to be modified, Congress has a responsibility to act."

Swartz's defense prepared an expert witness to explain how Swartz's software downloading script was not malicious hacking software, but rather a command line tool designed to automatically download files.

“Aaron did not “hack” the JSTOR website for all reasonable definitions of “hack”. Aaron wrote a handful of basic python scripts that first discovered the URLs of journal articles and then used curl to request them,” said the witness, Alex Stamos, CTO of Artemis Internet. “Aaron did not use parameter tampering, break a CAPTCHA, or do anything more complicated than call a basic command line tool that downloads a file in the same manner as right-clicking and choosing “Save As” from your favorite browser.”

Although "Aaron's Law” is far from amending the Computer Fraud and Abuse Act, a petition on the White House’s website “We The People” was filed and awaits 25,000 signatures before The President officially addresses it.