In The Wake Of Aaron Swartz's Death, Let's Fix US Computer Crime Law

Outpourings of grief and calls for change continue to flood the Internet after the suicide of Aaron Swartz, only 26 years old.

Aaron was one of our community's best and brightest, and he acheived great heights in his short life. He was a coder, a political activist, an entrepreneur, a contributor to major technological developments (like RSS), and an all-around Internet freedom rock star. As Wired noted, the world will miss out on decades of magnificent things Aaron would have accomplished had his time not been cut short.

Over the past two years, Aaron was forced to devote much of his energy and resources to fighting a relentless and unjust felony prosecution brought by Justice Department attorneys in Massachusetts. His alleged crimes stemmed from using MIT's computer network to download millions of academic articles from the online archive JSTOR, allegedly without "authorization." For that, he faced 13 felony counts of hacking and wire fraud (pdf), which carried the possibility of decades in prison and crippling fines. His case would have gone to trial in April.

The government should never have thrown the book at Aaron for accessing MIT's network and downloading scholarly research. However, some extremely problematic elements of the law made it possible. We can trace some of those issues to the U.S. criminal justice system as an institution, and I suspect others will write about that in the coming days. But Aaron's tragedy also shines a spotlight on a couple profound flaws of the Computer Fraud and Abuse Act in particular, and gives us an opportunity to think about how to address them.

Problem 1: Hacking laws are too broad, and too vague

Among other things, the CFAA makes it illegal to gain access to protected computers "without authorization" or in a manner that "exceeds authorised access." Unfortunately, the law doesn't clearly explain what a lack of "authorization" actually means. Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren't really about hacking a computer but instead target other behaviour the prosecutors don't like.

An infamous example is United States v. Drew, a case in which a woman created a fake MySpace page to taunt a teenage girl. The girl became distraught and committed suicide. No crime made the bullying itself illegal, so prosecutors charged Drew under the CFAA, claiming her fake profile violated MySpace's terms of use, which made her access to the social networking site's computers "unauthorized."

An obvious problem with this argument is that it would mean anyone who runs afoul of a web site's fine print is a criminal - and many of us intentionally or unintentionally violate those agreements every day. Prosecutors wouldn't bother filing criminal charges against most of us, of course. But if they wanted to, they would have the leeway to do it under the government's theory.

The judge ultimately reached the right result, finding that Drew didn't violate the CFAA just because she breached MySpace's terms of use.

But other criminal defendants haven't been so lucky.

In November, a jury convicted Andrew Auernheimer after someone else wrote a script to collect thousands of iPad owners' email addresses - which AT&T had failed to secure. Auernheimer's involvement in the "hack" appears to have been primarily telling journalists about then vulnerability after the fact (pdf). He plans to appeal the conviction.

It's possible that Auernheimer's unsympathetic reputation as an Internet troll played a role in the government's decision to indict him. And the CFAA's vague and overbroad language gave the jury an excuse to punish someone who didn't carry out anything remotely resembling a serious computer intrusion, even though that's the concern that caused Congress to criminalise "unauthorized" access in the first place.

Let's be clear: being an unsympathetic person is not a computer crime.

Most of the government's charges against Aaron alleged "unauthorized" access. We'll never know exactly how prosecutors planned to argue at trial that Aaron's access to JSTOR and the MIT network was "unauthorized." However, the allegations in the indictment suggest the case was based at least in part on the idea that Aaron violated JSTOR and MIT's network rules and user agreements. Under Drew and more recent precedent (pdf), that theory of criminal liability is dubious at best.

The prosecutors also made more technical claims that Aaron registered as a guest on the MIT network under a pseudonym, bypassed IP blocks, and spoofed his laptop's MAC address to avoid detection on the MIT network. Respected information security expert Alex Stamos, who would have testified at trial, has debunked the idea that these practices amounted to the grim hacking scheme suggested by the government, especially because MIT purposely maintains an open network. Stamos concluded:

Aaron Swartz was not the super hacker breathlessly described in the Government's indictment and forensic reports, and his actions did not pose a real danger to JSTOR, MIT or the public. He was an intelligent young man who found a loophole that would allow him to download a lot of documents quickly. This loophole was created intentionally by MIT and JSTOR, and was codified contractually in the piles of paperwork turned over during discovery.

The Justice Department's press release announcing Aaron's indictment suggests the true motivation for pursuing the case was that Aaron downloaded academic literature from JSTOR and planned to make it available to the public for free as a political statement about access to knowledge. According to United States Attorney Carmen M. Ortiz, "Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away." And the CFAA's vague language and broad reach helped to give the government the means to bring a criminal prosecution, even though the situation would have been better resolved privately among Aaron, JSTOR, and MIT.

It's time for Congress to amend the CFAA to clarify what counts as access "without authorization" and what doesn't. This will help ensure prosecutors can't use the law to bring arbitary cases against people they simply don't like.

Problem 2: Hacking laws have far too heavy-handed penalties

The penalty scheme for CFAA violations is harsh and disproportionate to the magnitude of offenses. Even first-time offenses for accessing a protected computer "without authorization" can be punishable by up to five years in prison each (10 years for repeat offenses) plus fines. It's worth nothing that five years is a relatively light maximum penalty by CFAA standards; violations of other parts of that law are punishable by up to 10 years, 20 years, and even life in prison.

When Aaron was first indicted on four felony counts, the Justice Department crowed that he was facing 35 years in prison and a million-dollar fine. Last fall, the government upped the ante and re-indicted Aaron on 13 counts. Eleven counts were CFAA offenses, some of which were "unauthorized" access claims and some of which were alleged violations of other parts of that law. Each CFAA count was punishable by a maximum of five years of prison time. He was also indicted on two wire fraud counts, each of which carried a maximum of 20 years.

According to the Wall Street Journal, the government indicated shortly before Aaron's death that it "might only seek seven years at trial." That number pales in comparison to what prosecutors could have exercised their discretion to seek, and what the law would have permitted a court to impose. But seven years is still a very long time, and a wholly disproportionate penalty for Aaron's alleged actions.

As if the law's current magnitude of punishment isn't overwhelming enough, Congress has been thinking about beefing up the CFAA, which the Justice Department fully supports (pdf). Both the House and Senate considered legislation last year that would expand the reach of the statute and make its penalties even more severe. These are terrible ideas, especially in light of the "unauthorized" access problem discussed above.

The specter of being incarcerated for years should never have haunted Aaron, but it did. Brilliant, talented, visionary people should be spending their time building our future, not worrying about wasting away in prison. Congress must update the CFAA to ensure the penalties actually make sense in light of the behaviour they're meant to punish.

The Upshot

The CFAA's vague language, broad reach, and harsh punishments combine to create a powerful weapon for overeager prosecutors to unleash on people they don't like. Aaron was facing the possibility of decades in prison for accessing the MIT network and downloading academic papers as part of his activism work for open access to knowledge. No prosecutor should have tools to threaten to end someone's freedom for such actions, but the CFAA helped to make that fate a realistic fear for Aaron.

Please join us in calling on Congress to change the law today. Click here to send a note to your elected officials today.

Aaron was a powerful force for change, and he would still be working toward that goal if he were here. His memory should challenge us to make the Internet, the law, and the world better. One place to start is the CFAA.

Republished from the Electronic Frontier Foundation


Comments

    United States v. Drew, a case in which a woman created a fake MySpace page to taunt a teenage girl. The girl became distraught and committed suicide
    The judge ultimately reached the right result

    So what you are saying here, is that just because you have caused someone's death, if you did it with a computer, you should not be punished?
    Fucking. Absurd.

      The 'right decision' was that people can't be prosecuted using overly broad laws covering normal behaviour. I don't like what she did to that poor girl, but unfortunately it wasn't actually illegal.

      That's not what was being said. Drew was essentially on trial for making a fake MySpace account, for that she was let off. Correct decision despite her actions.

      Unfortunately there appears to be a lack of laws protecting people from others, yet plenty of laws protecting computers from others.

      This person should have been charged with assault or manslaughter style charges. But there are no such charges that could apply here. Which meant they went after her with computer crime charges.

      So you've got overzealous computer crime laws, and no laws to protect people from harassment over the internet. GO USA!!!!!

        She should've been charged with the same offences she would've received if she'd yelled the same comments at her in person. Whether that's harrassment, defamation, verbal assault or whatever. I don't know if those particular charges carry harsher penalties if the victim reacts by harming themselves (I doubt it) but it's the best analogy I can come up with.

          Abusing someone verbally and over the internet is not the same. I'm not saying either one is okay, I'm saying there is an important distinction to make before you go dishing out the same penalties for both of them.

          Aside from the fact that most people are too clueless to realise the possible repercussions, there is also the fact that comments on the internet are completely open to interpretation. A distressed person could easily see a comment that was designed to be sarcastic or ironic and conclude that it was meant to be insulting. This makes the sarcastic or ironic person completely responsible for that person's death, so are you doing to penalise that person for exercising their right to free speech?

          As technology improves I often remember that Benjamin Franklin quote about freedom and security. It is applicable here.

          What needs to be done here is to impress upon people the differences between the two different methods of communication and that they should be able to be unaffected by hurtful words. We shouldn't go and start arresting people for internet comments, we should start telling people that bad people are on the internet and that their words should be taken with a grain of salt.

    I will agree that the laws need to changed.
    To be stricter. We cannot live in a society where someone can commit a crime and not have consequences.
    If you hack into something and steal information, you are committing a crime.
    The idea that "there is no law that says I can't" is Ridiculous because that is not how the law works.

    Spread your pro-hacker garbage somewhere else.

      I don't think you need to be pro-hacker to see that there is something wrong with the current laws in the US.

      Imagine if this site had a requirement that you post under your real name in its ToS, but didn't actually care what name you used provided you weren't making a nuisance of yourself. Under the laws in the US, the state could pursue a criminal charge anyway due to unauthorised access to the site and ask for a 5 year prison term. They could also selectively prosecute a single user, and ignore everyone else doing the same thing.

      That seems overly harsh to me, indicating that the law is to broad. There probably does need to be criminal law covering unauthorised access to computers, but it shouldn't extend as far as it does.

      Spread your pro-hacker garbage somewhere else.

      Guys I found the old person

    "and many of us intentionally or unintentionally violate those agreements every day"

    This kind of rubbish does worry me - "everyone is doing it, so I should not be held accountable".
    Is that what you truly believe?
    The law makes it quite clear that ignorance is no defence.
    I find it sad that a tragedy is being used to peddle an agenda.

      Actually - the charges won't stand if everyone is doing it and the Government doesn't make a reasonable attempt to charge everyone for it. Without that protection, the Government could make Jay walking a capital offence, but only target political dissidents. In the myspace case, they e clearly pursuing an individual among many, for reasons external to the law that was actually broken (the law was found not to be relevant anyway).

      Regardless, the argument us that people break the terms of service through normal use. Part of the basis for that argument can be that everyone does it either because:
      1. The terms aren't enforced;
      2. The terms are too vague or complex;
      3. The terms are contradictory;
      4. The terms are not actually binding.
      5. It is easy to break the terms inadvertently.
      6. It's not reasonable to expect people to be aware of the terms.

      If you breach a site's terms of service, the owners of the site can go after you with civil charges (which JSTOR apparently was doing with Swartz before settling).

      It isn't clear why the state should get involved in enforcing every nutty requirement a site puts in its ToS through criminal charges though. Is the act so bad that it needs to be pursued even if the wronged party is happy to let it slide?

    If the author does something silly because you called them "Fucking Absurd" do you think you should be up for a murder charge?

    Maybe the U.S. could do something about the way it makes so much money from incarceration, which directly reflects Americas lengthy prison sentences. But I don't see that happening anytime soon.

    Here's a lovely quote from the Corrections Corporation of America:

    "It takes time to bring inmate population levels up to where they cover costs. Low occupancy is a drag on profits....company earnings would be strong if CCA succeeded in ramp(ing) up population levels in its new facilities at an acceptable rate".

    End quote.

    If Aaron was such an intelligent guy, then why did he break into a University at the risk of spending 30 years behind bars ?....Based on this information, I think I.Q. tests are highly
    overrated and out dated. Seems they're about as accurate as polygraph tests.

    If the word intelligence basically means "the ability to learn and reason" then it seems Aaron had neither. The only difference between Aaron and the common criminal was a couple of I.Q. points.

    Game over Aaron, thankyou for playing anyway.

    Last edited 17/01/13 1:18 am

Join the discussion!

Trending Stories Right Now