In January this year, political activist and net guru Aaron Swartz committed suicide. Facing the potential of years in prison for downloading a database of academic articles, Swartz had exhausted his wealth and his will to fight. With the help of a rope, he gave up.
Swartz's death has turned a light on the statute that had put Swartz's liberty in jeopardy: the Computer Fraud and Abuse Act, or CFAA for short. This federal criminal statute has gotten way out of hand. The CFAA was passed in 1986 to punish the new crime of computer hacking. But a lot has changed since 1986. Use of computer networks was rare then. Now it is ubiquitous. And Congress has expanded the law several times, making its reach broader and its punishments more severe. The act has become a sprawling mess -- a powerful and mysterious weapon that could potentially reach millions of ordinary Americans.
And prosecutors have interpreted it incredibly broadly. In one case, the government prosecuted a woman for violating the terms of service of a social-media site. In another, now on appeal, the government brought charges for visiting a company website to collect information that the company had published on the web but had not intended to be widely viewed. (Disclosure: One of us, Orin Kerr, is part of the team of lawyers working on the appeal.)
The problem results from the law's vague language: The act criminalizes "unauthorized access" to a computer. But almost 30 years after its passage, no one yet knows when access is unauthorized.
Some courts say (correctly, we think) that access is unauthorized only when a person bypasses a technological restriction like a password gate. But other courts take a broader view, finding access unauthorized whenever a user violates the terms of service on a website or even just uses the computer in a way the owner wouldn't like.
The difference is huge. Under the narrow reading, the law only prohibits breaking into a computer -- the sort of thing that very few people do. But under the broader approach, the law criminalizes the ordinary behavior of millions.
Terms of service on websites routinely say, for instance, that users must enter only truthful information. As Judge Alex Kozinski, a Reagan appointee, wrote, the law -- at least as the government reads it -- means that "describing yourself as 'tall, dark and handsome' [on a dating website] when you're actually short and homely [could] earn you a handsome orange jumpsuit."
The law cries out for a common-sense reworking. After Swartz's death, a cross-partisan coalition in Congress, led by Democrat Zoe Lofgren and Republican Darrell Issa, did just that, proposing a law that would end liability for terms-of-service violations and would limit felony liability for violations. But, incredibly, some in Congress are going the other way. Last month, the House Judiciary Committee, ignoring that common-sense reworking, circulated a draft of proposed changes to the law that would actually increase its penalties, not decrease them -- making the law even broader and more punitive than before. The new bill would jack up criminal penalties and largely embrace the broadest views of the law's reach.
Some suggest that the Judiciary Committee's proposed changes would soften the CFAA by limiting liability for violating terms of service to a few specific situations. But those situations are hardly specific. To the contrary, the circulated bill is written in such vague terms that the proposed changes impose almost no limits at all. One of the "specific situations," for example, makes it a felony if a person violates terms of service to obtain information that is "sensitive." But sensitive in what way, and to whom? The language doesn't say, and you can bet that prosecutors will see information as sensitive whenever they want to bring a prosecution.
Defenders of this mass criminalization tell us not to worry. Even if the law is over-broad, they say, prosecutors will be careful. Only really dangerous hackers will be hit. But as recent prosecutions demonstrate, trust hasn't worked. It's time to cut back on this massive overregulation by narrowing the reach of the law.
This shouldn't be a partisan issue. One of us is a Republican former prosecutor, the other a progressive activist. But we are united on this issue, because all of modern life is mediated by computers. Many of us spend most of our day online. A law that makes routine computer use a federal crime is a law that makes all of us criminals.
Serious invasions of privacy should of course be prosecuted. Punishments for malicious hacking should be swift and strong. But just as bad things can happen online, so too can much good. The law should not confuse the two by labeling innocent conduct a felony. Congress should reject efforts to broaden the CFAA, and work instead to focus the law in ways similar if not identical to the ones along the lines of the legislation proposed by Representatives Lofgren and Issa. Violating terms of service shouldn't be a crime. Minor intrusions should be treated as minor crimes. The goal must be to punish evil while leaving the rest of us alone.