As predicted, the suicide of Aaron Swartz, the widely admired hacktivist who helped create RSS and Reddit, has provoked at least one lawmaker to seek changes in the Computer Fraud and Abuse Act, or CFAA -- the law that federal prosecutors were using to try to send Swartz to prison.
Enacted in 1986, the act bars "unauthorized access" to government and financial data or to "protected" computers used in or affecting interstate commerce (e.g., Web servers). Its broadest provision outlaws accessing "protected" computers without authorization and with intent to defraud, obtaining anything worth more than $5,000.
Swartz was charged with three different violations of the act as well as committing wire fraud, which involves using communications technology to defraud someone or obtain property under false pretenses. Federal prosecutors reportedly demanded that Swartz go to prison as part of any plea deal; after Swartz's suicide, his family said that this pressure was at least partly to blame.
This week, Rep. Zoe Lofgren (D-San Jose) started floating a draft bill that would narrow the scope of the computer fraud act and the wire fraud law, addressing one of the ways prosecutors have stretched those laws to cover all sorts of alleged digital misdeeds. Her bill, which she dubbed Aaron's Law, would say that gaining access to or altering information in violation of a website's, ISP's or employer's terms of service or acceptable use policy was not, in and of itself, illegal.
Those changes are overdue. But whatever you think about Swartz or his case, his name isn't the right one for Lofgren's bill. As George Washington University law professor (and computer crime scholar) Orin Kerr noted, the charges against Swartz didn't stem from a gross expansion of the CFAA or the wire fraud act. What he was accused of doing -- downloading a huge quantity of journal articles from JSTOR, a nonpublic site that publishes academic research, from the Massachusetts Institute of Technology network despite repeated attempts by MIT and JSTOR to stop him -- is pretty squarely in the intended target of those two laws.
That's not to say Swartz actually violated the laws; computer security expert Alex Stamos argues in a persuasive blog post that Swartz didn't defraud anybody. But even if Lofgren's draft bill had been enacted before Swartz began downloading JSTOR articles in 2010, it's conceivable that prosecutors would still have brought a case against him because of the way he maneuvered around the barriers put up by JSTOR and MIT to continue downloading articles surreptitiously. He wasn't accused just of violating JSTOR's acceptable use policy with the high-volume downloads; he was also accused of gaining access under false pretenses. That's the heart of the CFAA.
A more clear beneficiary of Lofgren's legislation would have been Lori Drew. But then, no one's about to build a legislative campaign around a woman accused of helping her teenage daughter and a friend cyber-bully another teenage girl to the point of suicide. Still, the way federal prosecutors in Los Angeles contorted the CFAA to convict Drew -- a conviction that a federal judge later set aside -- was precisely the sort of thing Congress should stop. Lofgren's bill would do just that, barring prosecutors from holding people criminally liable for violating online terms of service that every Internet user routinely ignores.
Again, I'm not comparing Drew and Swartz here, just how prosecutors applied the CFAA in their cases. And if Aaron's Law actually gets enacted, it would be a fitting addition to the contributions that Swartz made in his all-too-brief time on Earth -- even if he's not the one who would have benefited the most from its adoption.
Follow Jon Healey on Twitter @jcahealey