Efforts to revise a long out-of-date computer fraud law are continuing to gain momentum following the suicide last month of Web activist Aaron Swartz.
The most recent news is that Sen. Ron
Wyden (D-Ore.) and Rep. Zoe Lofgren (D-Calif.) unveiled a revised version of "Aaron's Law," a bill that aims to clarify that violating a
company's terms of service isn't a federal crime.
Currently, the Computer Fraud and Abuse Act, which dates to 1984, prohibits people from exceeding their authorized access to a computer
network. The problem is that the concept of "authorized access" is so broad that nearly everyone who violates a company's terms of service -- such as by using a fake name on a social networking site
-- could be a criminal.
Swartz was indicted for violating that law (as well as a law prohibiting wire fraud) by using the Massachusetts Institute of Technology's computer network to download
more than 4 million scholarly articles from academic publisher JSTOR. MIT realized that the downloads were occurring and implemented technical barriers, but Swartz got around them by changing his MAC
address and IP address.
Many people think Swartz downloaded the documents because he wanted to make them more accessible to the public. For this alleged crime, Swartz could have been sent to
prison for decades. He hanged himself last month, after plea negotiations broke down.
Lofgren says on Reddit that her latest version of Aaron's law "explicitly excludes breaches of terms of
service or user agreements as violations of the CFAA and wire fraud statute." She adds that the new draft specifies that efforts to prevent identification (such as by changing MAC addresses or IP
addresses) don't constitute computer fraud or wire fraud.
The digital rights group Electronic Frontier Foundation says that Lofgren's bill is a good start, but that the law's penalties also
should be revised. "Brilliant, talented, visionary people should be spending their time building our future, not worrying about wasting away in prison," the group says.