'Aaron's Law' Reintroduced as Lawmakers Wrestle Over Hacking Penalties

The proposed bill would update the Computer Fraud and Abuse Act to keep small violators from being charged under federal law.

Participants compete behind their computers during an "ethical hacking contest" in Geneva. (National Journal)

More than two years after the death of Aaron Swartz, a programmer and online activist who took his own life after being charged with data theft, lawmakers are trying for a second time to pass a bill that would soften the terms of the law he was charged under.

Democratic Sen. Ron Wyden of Oregon and Democratic Rep. Zoe Lofgren of California on Tuesday reintroduced the so-called "Aaron's Law," which they say would clear up vague language in the Computer Fraud and Abuse Act to keep low-level violators from getting in trouble with the law.

As it stands, accessing a computer without authorization is a federal crime, something critics say can lead to the aggressive prosecution of small-time lawbreakers. The bill would narrow the scope of the CFAA so that basic offenses like violations of a website's or software's terms-of-services agreement could not lead to federal charges. It would also limit prosecutors' ability to bring federal charges on top of state charges.

"At its very core, CFAA is an anti-hacking law," Lofgren said in a statement. "Unfortunately, over time we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It's time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities."

The proposed law is supported by Republicans Rand Paul of Kentucky in the Senate and Jim Sensenbrenner of Wisconsin in the House.

"I am proud to join Sen. Wyden and Rep. Lofgren today in offering this bipartisan and bicameral legislation which will amend the Computer Fraud and Abuse Act," Paul said. "Aaron's Law will reduce overbroad prosecutions and adjust unfair sentencing practices."

Swartz, the bill's namesake, was charged in 2011 under the CFAA for gaining unauthorized access to JSTOR, a subscription-based library of academic journals and papers. He allegedly downloaded almost 5 million articles from the database. Swartz was facing up to 35 years in prison and $1 million in fines when he was found dead in his apartment in January 2013.

The CFAA in its current form is harmful to computer security researchers—who hack into devices and networks to find and expose vulnerabilities—according to the Electronic Frontier Foundation, because it exposes researchers to liability and punishment at the same level as malicious hackers.

The reintroduction of Aaron's Law comes after a week after Wyden and Democratic Rep. Jared Polis of Colorado proposed an update to the Digital Millenium Copyright Act, which would also seek to reduce the burden of liability that security researchers face when they attempt to get into devices and networks.

Aaron's Law was first introduced in 2013, months after Swartz's death, but it stalled in the face of differences between the sponsors, Wyden and Lofgren, and House Judiciary Committee chairman Bob Goodlatte.

This post has been updated with a statement from Sen. Rand Paul.