Internet activist Aaron Swartz's suicide last January galvanized calls for an overhaul of the Computer Fraud and Abuse Act (CFAA), used widely by the government to prosecute misdeeds that critics say the law was never intended to address. Yet, one year after Swartz's death, efforts to reform the law appear to have made little headway.
Aaron's Law, a bill that would have put important new restrictions on use of the CFAA by federal prosecutors stalled in Congress last year despite eliciting wide support from privacy and rights advocacy groups. The bill was sent to the House Judiciary Committee's Crime Terrorism, Homeland Security and Investigations subcommittee in June where it languished.
While Swartz's legions of supporters remain intent on reforming the law, the appetite for change in Washington has diminished considerably. A bill introduced by Sen. Patrick Leahy (D-Vt.) earlier this month, seeks to tweak the CFAA, but in a manner that raises new issues, according to some observers.
The furor over the Edward Snowden leaks also diverted attention from CFAA reform, making it uncertain whether change to the act will happen this year.
"Unfortunately, little has changed on the CFAA front," after Swartz's death, said Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation. "Since the Snowden/NSA stories broke, much of the attention has turned to that fight."
Leahy's recently introduced bill may bring more attention and momentum to the fight to scale back the CFAA, but it's to soon to say for sure, Fakhoury said.
Swartz, 26, hanged himself Jan. 11, 2013, apparently over concerns of spending a long time in prison on hacking charges. Federal prosecutors in Massachusetts had indicted Swartz on 13 counts of felony hacking and wire fraud charges in connection with his alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents.
Swartz, a co-founder of the online news aggregation site Reddit and co-author of the RSS 1.0 Web feed specification, downloaded the documents from an MIT server using an account that he had set up with a fake name and email address.
Swartz, who was a fellow at Harvard University at the time, claimed he downloaded the scholarly documents so he could make them available for free on the Internet. The JSTOR documents are typically sold by subscription to universities and other institutions.
Federal prosecutors accused him of breaking provisions of the CFAA, which among other things, makes it illegal for anyone to knowingly access a computer without authorization or to exceed their authorized use of a system.
The law provides for penalties of up to life in prison for hacking. Prosecutors allegedly led Swartz into believing he faced 35 years in prison for his actions -- a prospect that is believed to have spurred his decision to kill himself.
The CFAA, drafted by Congress in 1986, was originally designed to deter criminal hacking for data theft or sabotage. Critics of the law say that its loose definition of key terms, like those related to unauthorized access and exceeding authorized access, have allowed creative prosecutors to apply the CFAA to a broader set of circumstances.