US policy overhaul is key for Aaron's Law protection

An overhaul of the US Computer Fraud and Abuse Act (CFAA) is sorely needed in order to better protect users from overly harsh and invasive government prosecution, according to experts.

Speaking on Monday evening in San Francisco, a panel of attorneys and activists outlined the ways in which the outdated and vague US federal law is leaving users and researchers open to many of the same charges that Reddit founder Aaron Swartz faced when he committed suicide earlier this year.

Swartz, who was serving at the time as a fellow at Harvard University, was facing charges for copying and redistributing hundreds of academic articles. Had he been convicted, he could have faced more than a decade in prison.

Swartz's case was used by the panelists as a textbook example of just what is wrong with the CFAA. First drafted as a means to protect vital government and financial infrastructure, the CFAA has since been expanded to the point where users can face criminal charges for little more than violating a provider's terms of service (TOS).

Trevor Timm of the Electronic Frontier Foundation said: “If you go above and beyond what a website says you can do, you are potentially violating criminal law. They can turn this law into a sword that they can use against anybody whose politics they don't like.”

The panellists agreed that while the CFAA does have a use in helping to deter malicious activity, the vague and open nature of the law also leaves ordinary citizens and researchers open to criminal charges and legal intimidation from vendors.

For cases such as those of Andrew 'Weev' Auernheimer, the researcher who faces years in prison for gathering email addresses as part of research into security flaws at AT&T, the CFAA provides a dangerous precedent that threatens legitimate security work.

Berin Szoka, president of Tech Freedom explained: “This law, if it were narrowly tailored, should be a privacy protection law against people that would steal not only copyrighted information but also personal data. The question is how do you narrowly tailor that law to that purpose.”