Congress Should Fix the CFAA


Like so many others, we at Sunlight are terribly saddened by Aaron Swartz’s death. Our longtime friend and adviser Micah Sifry has penned a great tribute that encapsulates how many of us felt about Aaron. Some of us had counted him as a colleague; others as a friend. For all of us, Aaron was a source of inspiration. I only met him a couple of times, but he was someone I deeply admired, not only for his jaw-dropping resume but also for the depth of his intellect and commitment to justice.

Although Sunlight’s choice of tactics often differed from Aaron’s, we always respected his commitment to the fight for freeing information that rightfully belongs to the public. His death is a tremendous loss for a community that Sunlight is proud to count itself part of.

Others have suggested that Aaron would want his death to spur change, not just mourning, and we wholeheartedly agree. We are particularly glad to see efforts to reform the Computer Fraud and Abuse Act like the “Aaron’s Law” proposal introduced by Rep. Lofgren (the EFF has subsequently suggested additional improvements). The CFAA is an inappropriately broad law that not only may have contributed to Aaron’s death, but threatens the work of all of us who believe in the power and promise of digital technology.

The CFAA’s failure to adequately define what constitutes unauthorized access has proven to be particularly dangerous. In recent years this criterion has been interpreted to include violations of websites’ Terms of Service (ToS) — contracts that users explicitly or implicitly enter when visiting a site. Most of the time, contract violations are a civil matter. But the CFAA makes it possible for ToS violations to become felonies. Jennifer Granick has written an excellent two-part series on the problems with the CFAA and the seriousness of its criminal implications. Orin Kerr also has a good, shorter illustration of why it’s a bad idea to add criminal implications to website Terms of Service agreements.

But the principle is broader than the threat of arbitrary ToS clauses. It would obviously be inappropriate for an author to attempt to dictate whether people could wear glasses or take notes while reading his or her work. In the same way, it is inappropriate for website operators to dictate which technologies readers employ to understand published data. Whether you can access the data; what you do with it publicly; what practices must be observed to preserve access for others — these are all perfectly valid places for content owners to introduce rules and limitations. But for digital natives like Aaron, the distinction between what can be accomplished with a mouse and what can be accomplished with a Python script is only one of efficiency. In the long run, trying to enforce these distinctions will prove to be not only pragmatically hopeless but philosophically meaningless.

At Sunlight, we don’t consider our tactics particularly radical — at least not compared to Aaron’s. But we regularly find ourselves faced with violating Terms of Service as we pursue our mission of making vital government information available to everyone who needs it.

Part of the answer to this problem is better thinking about how Terms of Service are written; part of it is government embracing appropriate distribution mechanisms, like bulk data and APIs, which make techniques like screen scraping less necessary. But it is clear that removing criminal consequences from what should be civil disputes would be an important step forward.

The negative consequences of the CFAA’s poor design will rarely take a form as heartbreaking as the death of a brilliant young person. But they are real, and they should be ended. We join those calling for CFAA reform.