Aaron’s Law was a bill written by representative Zoe Lofgren of California. Representative Lofgren proposed the bill in the wake of Aaron Swartz’s death. Aaron’s law proposed amending the Computer Fraud and Abuse Act (CFAA) of 1986, after internet activist Aaron Swartz died by suicide while facing a potential 35-year prison sentence for illegally downloading millions of academic articles that were only available via a subscription service. The Computer Fraud and Abuse Act of 1986, or the CFAA, is the the law that governs computer abuse in the United States. Though Aaron’s Law did not succeed, Congress amends the CFAA somewhat regularly, with changes occurring in 1989, 1994, 1996 and 2002. The controversial U.S. Patriot Act greatly impacted the CFAA in 2001, and the 2008 Identity Theft Enforcement and Restitution Act also affected the scope of the CFAA.
First, the CFAA as written punishes “exceeding authorized access” to a protected computer, a phrase vague enough to inspire some broad interpretations. The bill borrows ideas for clarifying it based on a few circuit court opinions. In a 2012 ruling from the Ninth Circuit, for instance, Chief Judge Alex Kozinski irreverently laid out the consequences if we allowed an overly broad interpretation of that phrase: Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
Aaron’s Law removed the phrase “exceeds authorized access” and replaced it with “access without authorization,” which it defines as, “to obtain information on a computer that the accesser lacks authorization to obtain, by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.” Basically, you shouldn’t be prosecuted for violating a term of service that you probably didn’t read before hitting “I Agree.” You have to knowingly circumvent a password or a locked office intended to keep you out.