Internet Activist’s Death Prompts Scrutiny of Computer Hacking Laws

Jan 24, 2013

By Ryan Conley, staff writer – January 24, 2013

The online world is reeling from the suicide of an Internet pioneer and political activist, and his death may result in significant changes to federal anti-hacking laws.

Aaron Swartz, who took his own life on January 11, 2013, at the age of 26, was a co-creator of RSS, a widely-used standard for web publication, and an early partner in Reddit, a popular social news website. At the time of his death, he was facing charges under the Computer Fraud and Abuse Act (CFAA); his conviction could have resulted in a decades-long prison sentence. His suicide has prompted allegations of prosecutorial overreach and proposals to alter the federal law. [1]

By the age of 20, Swartz was independently wealthy, following the sale of Reddit to Condé Nast; he began to engage in extensive political activism. In 2008, he published the “Guerilla Open Access Manifesto,” in which he railed against the “privatization of knowledge” and wrote, “We need to download scientific journals and upload them to file sharing networks.”[2]

Swartz’s criminal charges would result from doing exactly that. In the fall of 2010, he allegedly gained illegal access to JSTOR, a subscription-based digital library of academic journals. Swartz initially accessed JSTOR using an account on the Massachusetts Institute of Technology’s (MIT) network. That account was designed to allow an individual to download only a very limited number of articles, but Swartz allegedly found a way to bypass the limitation and download large numbers of articles, which soon attracted the attention of MIT and JSTOR. They disabled Swartz’s account, but he allegedly regained access several times despite their efforts to keep him out.[3]

Later, Swartz allegedly broke into a utility closet on the MIT campus and connected his laptop directly to the university’s network, at which point he was able to quickly bring his total number of downloaded articles to nearly 5 million, which cause some of JSTOR’s servers to crash.[4]

In July 2011, Swartz was indicted by a federal grand jury on charges including wire fraud and 13 violations of the CFAA. The maximum penalty for these crimes totaled 35 years of incarceration and millions of dollars in fines.[5]

Soon after Swartz’s suicide, his family released a statement blaming his death on “a criminal justice system rife with intimidation and prosecutorial overreach” and saying that “the US Attorney’s office pursued an exceptionally harsh array of charges.”[6] An online petition asking the Obama Administration to fire Carmen Ortiz, the US Attorney in charge of Swartz’s prosecution, has collected nearly 47,000 signatures and is awaiting a response from the White House. [7]

The Swartz case has also attracted much attention on Capitol Hill. Representative Darrell Issa (R-CA), a member of the House Judiciary Committee, plans to investigate the prosecution.

In an interview with The Huffington Post, Issa said, “Had [Swartz] been a journalist and taken that same material that he gained from MIT, he would have been praised for it. It would have been like the Pentagon Papers.” [8]

Senator John Cornyn (R-TX) sent a letter to Attorney General Eric Holder on January 18, 2013, requesting more information about the case and questioning the motivation behind the charges.

Cornyn asks in his letter, “Was the prosecution of Mr. Swartz in any way retaliation for his exercise of his rights as a citizen under the Freedom of Information Act?” [9]


Aaron Swartz, co-founder of Reddit.com and executive director of Demand Progress. Photo: Reuters.

Representative Zoe Lofgren (D-CA), whose district lies in Silicon Valley, is a Congressional leader in matters of intellectual property, opposing the Stop Online Piracy Act and certain components of the Protecting Children from Internet Pornographers Act. [10] She recently drafted a bill she calls “Aaron’s Law” in honor of Swartz, which would amend the CFAA and federal wire fraud statute to change how they define whether a user’s access to a computer is authorized.

The CFAA makes it a federal crime to access secure computers “without authorization” or in a way that “exceeds authorized access,” but does not clearly define those terms. This has resulted in prosecutors making creative use of the law in order to file charges against people for actions that seemingly have nothing to do with hacking computers.

For example, in United States v. Drew, a woman created a MySpace profile with a fictitious name and used the profile to tease and taunt a teenage girl, who later committed suicide. Unable to prosecute the woman simply for being a bully, US Attorneys charged her under the CFAA, arguing that her fictitious profile was a violation of MySpace’s terms of use, making her access to the website’s computers “unauthorized.” [11]

Lofgren’s bill would amend the CFAA’s description of what it means to “exceed authorized access” to a computer. Currently, the phrase is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Aaron’s Law would change that definition by adding to the end the words, “but does not include access in violation of an agreement or contractual obligation, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill would similarly amend the federal wire fraud statute, Section 1343 of title 18, United States Code. [12]

It is unclear exactly how federal prosecutors planned to argue that Swartz had violated the CFAA, but indictment appears to suggest that their case was based at least in part on the idea that his access to JSTOR and MIT’s network was a violation of their terms of use. [13]

In a statement on Reddit, Lofgren said, “The government was able to bring such disproportionate charges against Aaron because of the broad scope of the Computer Fraud and Abuse Act (CFAA) and the wire fraud statute. It looks like the government used the vague wording of those laws to claim that violating an online service’s user agreement or terms of service is a violation of the CFAA and the wire fraud statute.

Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties.” [14]

In response to Lofgren’s post on Reddit, Larry Lessig, friend and mentor to Swartz and an intellectual property activist, called the bill an “important change that would do incredible good.” He summarized the bill by saying, “In a single line: no longer would it be a felony to breach a contract. Let’s get this done for Aaron — now.” [15]

Sources:

2. http://archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt
12. http://www.lofgren.house.gov/images/stories/pdf/draft%20lofgren%20bill%20to%20exclude%20terms%20of%20service%20violations%20from%20cfaa%20%20wre%20fraud%20011513.pdf