In the wake of this brilliant technology activist’s death, let’s fix the draconian Computer Fraud and Abuse Act.
The government should never have thrown the book at Aaron for accessing MIT’s network and downloading scholarly research. However, some extremely problematic elements of the law made it possible.
### Problem 1: Hacking laws are too broad, and too vague
Among other things, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access.” Unfortunately, the law doesn’t clearly explain what a lack of “authorization” actually means. Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren’t really about hacking a computer but instead target other behavior the prosecutors don’t like.
### Problem 2: Hacking laws have far too heavy-handed penalties
The penalty scheme for CFAA violations is harsh and disproportionate to the magnitude of offenses. Even first-time offenses for accessing a protected computer “without authorization” can be punishable by up to five years in prison each (10 years for repeat offenses) plus fines. It’s worth nothing that five years is a relatively light maximum penalty by CFAA standards; violations of other parts of that law are punishable by up to 10 years, 20 years, and even life in prison.
No prosecutor should have tools to threaten to end someone’s freedom for such actions, but the CFAA helped to make that fate a realistic fear for Aaron. To honor Aaron and prevent future abuses, we should rally together to reform CFAA.