Second time's the charm? The welcome return of Aaron's Law

Congress can finally right its wrongs with the Aaron Swartz tragedy with the passing of this much needed cyber crime bill

A long, long, long time ago, a well-meaning wingnut told a collegiate me that I’d make a good lawyer. In response, I keyed his car. I can barely take the law as a journalist, let alone an active participant. Writing law is at best a vague and chaotic process. Interpreting that law is an exercise in highly paid professional obfuscation that makes angels cry.

A movie director might take that last sentence and interpret it as a smarmy defense attorney in a shiny suit getting a multiple kitten-kicker acquitted, on the grounds that the client’s activities technically corresponded to the Congressional interpretation of medical research set forth in Buttons v. Mengele. But in real life, legal nebulosity runs on both sides, not only the defense.

Judges, prosecutors, and law-enforcement agencies of all sizes and alphabet combinations will twist and broaden the law anyway they can to get what they want. Take one of my favorite Washington weasels, Senate Majority Leader Mitch McConnell (R-Ky.). Parts of the precious Patriot Act he loves so much are set to expire, specifically Section 215, which is the cute part that’s allowed Uncle Sam’s many minions to bag big honking peta-reams of “business data” (read: phone records).

Senator McConnell can’t handle 215’s demise, possibly because some of his rhetoric sounds like he may be a really long-lived redcoat. Rather than prove 215’s virtues in open debate, he drafts legislation to keep it going till 2020 and invokes a Senate rule that bypasses the usual committee process and, in a Hail Mary, sends the thing to the floor for a vote -- the right way, the wrong way, or maybe the real-life, twist-the-lawmaking-process-to-get-what-you-want way.

Aaron's Law: A second chance

I’m not a fan of sneaky law-twisting, which is why I was pleasantly surprised when a trio of legislators recently reintroduced Aaron’s Law (not to be confused with the bill to make homicide legal for NFL players). Aaron’s Law seeks to redefine various “hacking” activities so that they more directly refer to malicious acts rather than whatever a drunken prosecutor might want them to be as noted in the current Computer Fraud and Abuse Act (CFAA) passed in 1986. Aaron’s Law was originally introduced in the last Congress, but couldn’t get enough love. Now it’s back, promoted by Rep. Zoe Lofgren (D-Calif.), who’s backing the House version, as well as Sens. Ron Wyden (D-Ore.) and, ironically for Kentuckians, Rand Paul (R-Ky.) who are co-pushing the Senate companion bill.

Aaron’s Law is named for Aaron Swartz, a programmer and hacktivist who liked to form nonprofits that aimed to use technology to promote democracy, share information, and other craziness. Though this may not be news to my regular readers, let me recap.

In 2011, Aaron was arrested on a slew of charges after he broke into a wiring closet to download a large number of academic journal articles from a digital repository. Basically, he connected a laptop to a switch in an unlocked wiring closet, used academic account access to get into the database, and started a download script. Ostensibly he did it because he wanted to share the articles with the public -- notably third-world academia, which was barred from access. Oh, the evil that men do!

Swartz was arrested four months after he began the JSTOR download. In a federal case, prosecutors used CFAA to interpret his crimes as broadly as possible, which let them initially threaten him with between 35 and 50 years of imprisonment and a cool million bucks in fines.

However, prosecutors were so unshakably confident in their case against Swartz that they suddenly flip-flopped and offered a plea deal amounting to six months in a low-security prison. That discrepancy illustrates what a boatload of legal critics call “the overzealous nature” of the prosecution.

Swartz turned down the deal, opting instead for open court where prosecutors would have had to not only make their oh-so-solid case but also justify why so much federal heat came down on a guy downloading fancy magazine articles. Compared that to, say, last year’s revelation that the CIA had blatantly hacked into Senate computers -- perpetrators there admitted responsibility for stealing data concerning top-secret torture techniques, but the Justice Department declined to pursue any prosecution whatsoever. Apparently prosecuting T-shirt-clad nerds is more fun than chasing CIA hackers, even with confessions. Originally, Swartz must have been confident to turn the deal down, but allegedly due to his continuing bouts with depression, he eventually committed suicide.

The obvious conspiracy theory/tinfoil hat angle aside, the impetus behind Aaron’s Law is that prosecutors were too eager to bring down someone they could paint as high-profile hacking quarry, and in doing so they frightened a depressed academic idealist, who certainly posed no real danger to society, apple pie, or the American way, into killing himself.

The net widens: Auernheimer and Green

Aaron’s situation wasn’t unique. In 2011, security researcher Andrew Auernheimer was arrested, then tried and convicted in 2012 under CFAA for publicizing a vulnerability in AT&T’s website that exposed 114,000 emails. He got 41 months in prison and was ordered to pay an arbitrary-sounding $73,000 in restitution to AT&T. (The owners of the email addresses weren’t mentioned.) His legal team subsequently filed a brief challenging the conviction, claiming he hadn’t violated CFAA. He was released a year later, though the judiciary sidestepped the CFAA issue by vacating based on Newark, New Jersey (where Auernheimer was convicted), having been an improper venue. (Way to take on the tough decisions!)

More recently and certainly at the other end of some kind of spectrum, a Florida eighth grader was arrested, presumably under CFAA, for committing a felony when he broke into his school’s network to change the wallpaper on his teacher’s computer to a theme more appropriate to Gay Pride Day than middle school (at least in Florida).

As Dr. Dealgood from my favorite post-apocalyptic Tina Turner movie said, “But ain't it the truth: You take your chances with the law. Justice is only a roll of the dice, a flip of the coin, a turn of the wheel.” Presumably, Aaron decided he didn’t want to spin that particular wheel, and Aaron’s Law is an attempt to make sure that other people don’t have to and I fully support it.

What you think of the individual actions of Aaron, Andrew, or Domanik Green (Florida’s latest, possibly its only, hacking celebrity) isn’t really relevant. They’re three of many different cases that establish a two-part problem:

  1. A prosecutorial system that always seeks to cast the widest possible net
  2. The foundation of number 1 in technology-related crimes being an outdated, fundamentally flawed law because it includes broad, vague language intended more to extend its life rather than accurately prosecute

Given that the American populace is, at the very least, currently at loggerheads with its government regarding what exactly constitutes not only computer crime but also privacy, copyright, and the legal limits of Uncle Sam regarding what he can and can’t do to his citizens, I’m for anything that puts that discussion on the front burner.

Copyright © 2015 IDG Communications, Inc.