Read this if you want to stay out of jail.

When my friend Aaron Swartz committed suicide in January, he'd been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals. Aaron had downloaded millions of articles from that website, but that wasn't the problem. He was licensed to read all the articles they hosted. The problem was, the way he downloaded the articles violated the terms and conditions of the service. And bizarrely -- even though the website didn't want to press the matter -- the DoJ decided that this was an imprisonable felony, under the Computer Fraud and Abuse Act, which makes it a crime to "exceed your authorization" on any online service.

The DoJ reasoned that if the law said that doing anything "unauthorized" was a crime, and if the long, gnarly hairball of legalese that no one reads before clicking "I agree" set out what you were allowed to do, then violations of that "agreement" were a felony.

Aaron's death galvanized some Congresscritters to do something about this oversight. The ancient CFAA predated the widespread use of terms of service in everyday activities like hanging out with your friends, reading the newspaper, getting an education or signing up for a dating service. Congress did not intend to create a situation where companies that provided services could put any unreasonable condition they wanted into an "agreement" you might never see ("By using this website, you accept all terms and conditions") and then ask the DoJ to put people in prison for decades if they violated them.

The reform to CFAA was welcome and long overdue. But the DoJ has asked some members of the House Judiciary Committee to make it worse.

Read the rest

Tim Wu's New Yorker piece on Aaron Swartz and the Computer Fraud and Abuse Act explains how Obama could, with one speech, fix the worst problem with the worst law in technology. The CFAA makes it a felony to "exceed your authorization" on a computer system, and fed prosecutors have taken the view that this means that if you violate terms of service, you're a felon, and they can put you in jail. As Wu points out, Obama doesn't need Congress to pass a law to fix this, he could just tell the DoJ that they should stop doing this. There's plenty of precedent, and it would be excellent policy.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over...

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

Fixing the Worst Law in Technology

Carmen Ortiz, the US Attorney who hounded Aaron Swartz, threatening him with 35 years in prison for downloading scholarly articles from MIT's open WiFi network, has released a statement explaining how harmless and pleasant she had been with Aaron. Mike Masnick just shreds the claims Ortiz makes in her release:

If Ortiz truly believed that his conduct did not warrant such "severe punishment" then she would not have trumpeted the 35 years in the first place, nor would she have piled on more charges. That would serve absolutely no purpose whatsoever if her claim here was true.

Furthermore, as Swartz's lawyers have made clear, Ortiz and her assistant, Stephen Heymann were pretty explicit to Swartz's lawyers that if he did not take their plea bargain offer, the next offer would be for more jail time, and if he still chose not to accept the offer, they'd seek at least seven years for Swartz in court. Tossing out that six month claim as if it were proof of some sort of fair dealing on Ortiz's part is flat out insulting to the intelligence of any thinking person, and downright offensive to the memory of Aaron.

How would Ortiz like it if her own child was accused on trumped up charges and threatened with 35 or more years in prison in press releases -- and then told to "settle" for just six months. I doubt she would find that to be "fair."

Carmen Ortiz Releases Totally Bogus Statement Concerning The Aaron Swartz Prosecution

Aaron Swartz killed himself two years to the day after he was charged with violating the Computer Fraud and Abuse Act, a controversial legislation that some courts have interpreted as making it a felony to do anything not explicitly authorized with a computer you don't own (for example, changing one character in a URL in your browser and accessing a document can be a felony). Many attempts have been made to reform CFAA, none successful. Now Rep Zoe Lofgren (D-CA) has introduced "Aaron's Law", to insert the following in its pre-amble:

A violation of an agreement or contractual obligation regarding Internet or computer use, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer is not in itself a violation of this section.

Larry Lessig has endorsed the proposal, saying, "Hey, this is a CRITICALLY important change that would do incredible good. The CFAA was the hook for the government's bullying of @aaronsw. This law would remove that hook. In a single line: no longer would it be a felony to breach a contract. Let's get this done for Aaron — now."

This is a great start. A great start. But it's only a start. Aaron's cause wasn't bringing justice to computer users, it was bringing justice to everyone. America is history's number one imprisoner, and its penal system is ghastly and inhumane. CFAA-based bullying is just a symptom, not the disease.

I'm Rep Zoe Lofgren & I'm introducing "Aaron's Law" to change the Computer Fraud and Abuse Act (CFAA) (lofgren.house.gov) (via Techdirt)