Nominee For Attorney General Tap Dances Around Senator Franken's Question About Aaron Swartz

from the fix-the-cfaa dept

Question 1. The Computer Fraud and Abuse Act (CFAA) has received attention for its potentially harsh penalties. In 2013, I wrote a letter to the Department of Justice expressing my concern about the way in which Aaron Swartz was aggressively prosecuted under the CFAA, and associating myself with a similar letter by Senator Cornyn. The Department’s response was, in short, that the prosecution of Swartz was consistent with the Act. Since then we have heard many people – from all over the political spectrum – call for reform of the CFAA. Recently, the White House announced a proposal to amend the Act. Some have characterized the proposal as a step in the wrong direction, noting – for example – that it would increase certain sentences. What is your assessment of these criticisms, and what is your opinion of the proposal?



RESPONSE: I believe that the Department of Justice has a responsibility to protect Americans from invasions of their privacy and security by prosecuting and deterring computer crimes. Accordingly, we must ensure that the CFAA, like all of our tools, remains up-to-date and reflects the changes in the way that cybercrimes are committed, changes that have occurred in the decades since it was first enacted. For example, I understand that the Administration’s proposals include provisions designed to facilitate the prosecution of those who traffic in stolen American credit cards overseas, to enable the Department to dismantle botnets that victimize hundreds of thousands of computers at a time, and to deter the sale of criminal “spyware.”



With respect to the sentencing provisions contained in those proposals, I believe it is appropriate to ensure that, in the event a defendant is convicted of a hacking offense, the sentencing court has the authority to impose a sentence that fits the crime. For example, the enormous harm caused by the massive thefts of Americans’ personal financial data from retailers illustrates the need to ensure that the maximum sentences available are adequate to deter the worst offenders. As the level of harm caused by the worst cybercrimes increases, I support increasing the maximum penalties available to punish those crimes to a level commensurate with similar crimes, such as mail fraud or wire fraud.



It is also important to understand that these statutory maximum sentences do not control what sentence is appropriate for less significant offenses under the CFAA. In many criminal prosecutions, including prosecutions under the CFAA of all but the most serious offenses, the statutory maximum penalty has little or no impact on the sentencing of convicted defendants. Instead, in each case, prosecutors make individualized sentencing recommendations, and judges make individualized decisions, based on such factors as the facts of the case, the offender’s history, and the U.S. Sentencing Guidelines.



Finally, I note that the Administration’s 2015 proposal does not include any new mandatory minimum sentences, and I support the decision not to seek any such new sentences in the CFAA at this time.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

We've discussed for years how broken the CFAA (Computer Fraud and Abuse Act) is. The law, which was written many years ago, is problematically vague in certain areas, allowing prosecutors to claim that merely breaking a terms of service you didn't read is a form of felony hacking -- as they define it as "unauthorized access." While there have been many egregious CFAA cases, one of the most high-profile, of course, was that of activist Aaron Swartz, who was arrested for downloading too many research papers from JSTOR from the computer network on the MIT campus. The MIT campus network gave anyone -- even guests -- full access to the JSTOR archives if you were on the university network. Swartz took advantage of that to download many files -- leading to his arrest, and a whole bunch of charges against him. After the arrest, the DOJ proudly talked about how Swartz faced 35 years in prison. Of course, if you bring that up now, the DOJ and its defenders get angry, saying he never really would have faced that much time in prison -- even though the number comes from the DOJ's (since removed) press release Swartz, of course, tragically took his own life in the midst of this legal battle, after facing tremendous pressure from the DOJ to take a plea deal as a felon, even as Swartz was sure he had done nothing illegal or wrong. Since then, there have been a few attempts to update the CFAA to block this kind of abuse, but they have been blocked at every turn by a DOJ that actually wants to make the law even worse . This includes the White House's latest proposal for CFAA reform, which would actually make more things a felony under the CFAA, and could drastically increase sentencing for things that many of us don't think should be a crime at all -- such as tweeting out a list of worst passwords on the internet.Outgoing Attorney General Eric Holder has done his best to ignore or downplay any suggestion that his Justice Department abused the CFAA in going after Swartz. And it looks like his likely replacement is trying to do the same.Senator Al Franken questioned nominee Loretta Lynch about Swartz and the CFAA and got back a response that is basically her avoiding the question. She doesn't say anything about Swartz, but goes off on some FUD about the dangers of malicious hackers and how the DOJ needs the tools to fight spyware. She then claims that the newly proposed CFAA changes are okay because they only increase the possible maximum sentences, but not the minimums, leaving things up to the discretion of judges (and prosecutors):This, of course, misses the point. First, it assumes that longer sentences are somehow going to doto diminish the likelihood of malicious attacks. It won't. This is such a total braindead law enforcement view of things: that if only there were greater punishment it would scare the "bad people" out of doing what they're going to do. That's never really worked, and especially not in this area, where the law is being abused to go after people who don't think they're actually doing anything wrong.Second, it just plays up the FUD that "bad stuff is happening" so "something must be done." But it ignores how vague the law is and how it's wide open to abuse. Alaw enforcement official would ask for clearer laws that more narrowly target actual bad behavior, rather than celebrating a broad and vague law that can be, and is, widely abused just to rack up more DOJ headlines and "victories."

Filed Under: aaron swartz, al franken, attorney general, cfaa, doj, loretta lynch