• by Wendy Davis , Staff Writer @wendyndavis, June 20, 2013

Lawmakers in the House and Senate have formally introduced a law that would amend the Computer Fraud and Abuse Act: a long-outdated bill that potentially criminalizes many activities that have become commonplace online.

The new measure, introduced today by Reps. Zoe Lofgren (D-Calif.) and Jim Sensenbrenner (R-Wisc.) and Sen. Ron Wyden (D-Ore.), would make clear that people who violate private companies' terms of service don't commit computer fraud.

As currently written, the 1984 computer fraud law makes it a crime to exceed “authorized access” to a computer. The problem is, the concept of “exceeding authorized access” is so broad that it can cover a host of activity that no one thinks should be a crime. For instance, people who violate a social networking company's terms of service -- such as by registering with a fake name -- theoretically could be prosecuted for computer fraud.

But the proposed revision, named “Aaron's Law,” will significantly narrow the type of activity considered computer fraud. The bill still makes it a crime to get around technological restrictions on access by using deception -- as phishers do. It also is a crime to share log-in credentials, in certain circumstances. But violating terms of service could no longer be a basis for prosecutions.

The proposal is named for Aaron Swartz, an activist who hanged himself in January while under indictment for violating the computer fraud law. Specifically, Swartz was accused of using the Massachusetts Institute of Technology's computer network to download more than 4 million scholarly articles from academic publisher JSTOR, without authorization by MIT or JSTOR. Many people think Swartz downloaded the documents because he wanted to make them more accessible to the public.

The new proposal also spells out that the maximum penalty for violations is one year in prison, unless the total fair market value of the information obtained without authorization amounts to at least $5,000. In that case, the maximum penalty would increase to five years' imprisonment.

The bill is backed by digital rights groups, including the Center for Democracy & Technology. “Breaking a promise is not the same as breaking into a computer, and shouldn’t be a federal crime,” Kevin Bankston, director of CDT’s Free Expression Project, said in a statement. “Only people who break into computers by circumventing technical restrictions should be prosecuted as computer criminals.”