Yesterday, Rep. Zoe Lofgren and Rep. Ron Wyden introduced a bill, known as “Aaron’s Law”, which amends the Computer Fraud and Abuse Act (CFAA), a 1986 bil which set most of the “cybercrime” statutes on the books today. This law, affectionately known as U.S. Code Title 18, Part I, Chapter 47, §1030, has been added to many times over the years (via the PATRIOT Act, and various bills related to issues of identity theft, etc.), but the substantial core of the bill has remained the same since 1986: vague, ominous, overly broad, and a rampant playground for prosecutorial misconduct.
A quick recap of the origins of Aaron’s Law, just in case there are readers outside my usual demographic of nerds and hackers: Aaron Swartz was a brilliant programmer and activist who co-authored the RSS specification as a teenager, went on to co-found Reddit and Demand Progress, and so much more. Chagrined by the lack of public access to (especially taxpayer-funded) research, he went on to use MIT’s computer network to (illegally) download millions of academic papers from JSTOR. MIT and JSTOR both declined to press charges, but federal prosecutors Carmen Ortiz and Stephen Haymann smelled blood in the water and attacked like frenzied piranha-sharks. okay, those don’t exist, but I don’t think there’s a single creature vicious enough to describe this dastardly duo. Faced with 35 years in federal prison, Aaron, sadly, took his own life.
I’m not here to rehash the whole case or go over what should have happened differently. The hacker community mourns the loss of Aaron Swartz, each of us in our own way. But I do want to address the technical, economic, and even pedagogical consequences of the CFAA in its current state, and why its amendment is so vital.
A history of abuse
Aaron Swartz was not the first victim of the CFAA, but may be its first public fatality. In The Hacker Crackdown, Bruce Sterling desccribes the rampant excesses of “Operation Sundevil,” an all-out raid on “hackers” that occurred in the late 1980’s. There’s a good piece on Gawker that describes that incident and how it relates to Aaron’s case.
A funny thing happens when someone begins to deeply grok computer systems, especially at the level of code. It opens a new world of possibilities, and ignites an insatiable curiosity. A curiosity which is often “criminal” when exploration takes one beyond one’s own sandbox.
I got my first modem at the age of ten or eleven, and quickly left the BBS world when I got my first real (UNIX shell) internet account. I won’t go into details (not sure what the statute of limitations is!), but I’m certain some of what I got up to ran afoul of the CFAA, to put it mildly. I was a burgeoning hacker, not a cracker; I was never malicious, tried to follow the “Boy Scout rule” (always leave the campground better than you found it), and even left anonymous tips for the administrators of systems that I, uh, accessed, telling them how I got in and pointing them to a patch if I knew of one.
I’d like to think that, in the process of learning volumes about programming, systems, networks, etc., I actually helped to improve security.
The next generation of hackers
As I mentioned in my last post, I’m really interested in the push to teach kids real programming skills. But what happens when we’re giving kids the tools to send themselves to federal prison because of some outdated, vague laws that prosecutors love to abuse in order to ‘make examples’ of individuals whose only real crime is curiosity and a desire for open access to information?
When we open the world of programming to kids, we’re really creating the next generation of hackers. Not in the media-hyped, perjorative sense, but in the standard meaning, established by RFC1392: “A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular.”
A legislative pull request
In a way, the body of laws forms the source code for our democracy; sadly, the compilers (lawyers and judges) are buggy as all hell and don’t raise warnings until it’s too late.
In Aaron Swartz’s case, we had a prosecutorial buffer overrun that caused the target process (Aaron) to segfault. It’s time to patch this piece of source code with the amendments contained in Aaron’s Law. It’s just a patch, and I’d say we need better code review (in this case, public code review actually occured via Reddit, setting an interesting precedent) in general, until we have perfect compilers — and I don’t see perfect lawyers or judges arriving any time soon.
Open source works; sunlight is the best disinfectant; transparency is desirable. When our elected representatives legislate out of fear or confusion (CFAA, PATRIOT, etc.), we get bad laws that imprison our best and brightest, or worse, take them from us completely.
Please go to the Demand Progress site for Aaron’s Law to become a citizen co-sponsor of the bill - it might be a measure too late for Aaron, but it’s necessary for the future.