A year after Swartz suicide, reform of anti-hacking law remains elusive
Calls for changing the Computer Fraud and Abuse Act have made little headway
Computerworld - Internet activist Aaron Swartz's suicide last January galvanized calls for an overhaul of the Computer Fraud and Abuse Act (CFAA), used widely by the government to prosecute misdeeds that critics say the law was never intended to address. Yet, one year after Swartz's death, efforts to reform the law appear to have made little headway.
Aaron's Law, a bill that would have put important new restrictions on use of the CFAA by federal prosecutors stalled in Congress last year despite eliciting wide support from privacy and rights advocacy groups. The bill was sent to the House Judiciary Committee's Crime Terrorism, Homeland Security and Investigations subcommittee in June where it languished.
While Swartz's legions of supporters remain intent on reforming the law, the appetite for change in Washington has diminished considerably. A bill introduced by Sen. Patrick Leahy (D-Vt.) earlier this month, seeks to tweak the CFAA, but in a manner that raises new issues, according to some observers.
The furor over the Edward Snowden leaks also diverted attention from CFAA reform, making it uncertain whether change to the act will happen this year.
"Unfortunately, little has changed on the CFAA front," after Swartz's death, said Hanni Fakhoury, a staff attorney with the Electronic Frontier Foundation. "Since the Snowden/NSA stories broke, much of the attention has turned to that fight."
Leahy's recently introduced bill may bring more attention and momentum to the fight to scale back the CFAA, but it's to soon to say for sure, Fakhoury said.
Swartz, 26, hanged himself Jan. 11, 2013, apparently over concerns of spending a long time in prison on hacking charges. Federal prosecutors in Massachusetts had indicted Swartz on 13 counts of felony hacking and wire fraud charges in connection with his alleged theft of millions of documents from JSTOR, an online library of literary journals and scholarly documents.
Swartz, a co-founder of the online news aggregation site Reddit and co-author of the RSS 1.0 Web feed specification, downloaded the documents from an MIT server using an account that he had set up with a fake name and email address.
Swartz, who was a fellow at Harvard University at the time, claimed he downloaded the scholarly documents so he could make them available for free on the Internet. The JSTOR documents are typically sold by subscription to universities and other institutions.
Federal prosecutors accused him of breaking provisions of the CFAA, which among other things, makes it illegal for anyone to knowingly access a computer without authorization or to exceed their authorized use of a system.
The law provides for penalties of up to life in prison for hacking. Prosecutors allegedly led Swartz into believing he faced 35 years in prison for his actions -- a prospect that is believed to have spurred his decision to kill himself.
The CFAA, drafted by Congress in 1986, was originally designed to deter criminal hacking for data theft or sabotage. Critics of the law say that its loose definition of key terms, like those related to unauthorized access and exceeding authorized access, have allowed creative prosecutors to apply the CFAA to a broader set of circumstances.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts