For the past two weeks, the technology and Internet communities have grappled with the untimely death of Aaron Swartz, the technology activist who was prosecuted for allegedly “hacking” into the JSTOR database and attempting to download 4.8 million academic documents. Media as diverse as The Wall Street Journal and Wired have criticized what they believe to be the misuse of prosecutorial discretion in pursuing the charges against Swartz. Some are even calling for the U.S. Attorney responsible for the prosecution, Carmen Ortiz, to step down. Others are calling for the forces that led to the defeat of SOPA last year to reunite to amend or scrap the Computer Fraud and Abuse Act (CFAA). Silicon Valley congresswoman Zoe Loffgren has proposed a bill to modify the statute to remove potential criminal liability for violations of computer usage terms of service.
The narrow question here: What does this unfolding tragedy mean for the CFAA? Given the scope and intensity of this issue, I am going to break this discussion down into two posts. Today, I am going to consider the following question: Did Swartz’s alleged conduct violate the CFAA, and if so, is the CFAA part of the problem? My second post will assess the issue of prosecutorial discretion and consider what can be done to avoid this unfortunate situation from recurring in the future, with a look at Congresswoman Loffgren’s proposed changes to the CFAA.
What brought us here? The story is a compelling one. A prodigy and reformer, Swartz had co-founded the subscription feed RSS and co-founded Reddit, the social media site. Swartz had been a particularly powerful voice in the Internet grass-roots movement that defeated SOPA last year. As Orin Kerr notes in his meticulous analysis of the Swartz case, in 2008, Swartz published an essay that he labeled the Guerrilla Open Access Manifesto. In the essay, Swartz argued that there was a moral imperative to engage in civil disobedience and disregard laws that limited access to academic articles and that those articles should be made available.
This fact emphasizes a couple of important undercurrents that are driving this narrative. First, this prosecution is the latest flashpoint in the battle between the “information should be free” community on the one side, and the intellectual property rights owners and their legal community, on the other. Those in the first camp generally believe that those in the second camp use IP law (particularly copyright law) to unduly restrict ideas and content that should be free and available to all; the most public battle between these two forces was the defeat of SOPA last year. As Swartz was a vocal proponent that content should be available over the Internet, his untimely death, and the circumstances that apparently drove it, have added considerably to the emotional intensity of the story.
There is also a generational undercurrent that has not received a lot of attention (in an article for Forbes, Tarun Wadhwa has written about “What the Loss of Swartz means for his Generation”). In many ways, Swartz was a standard-bearer for the millennial generation, the generation that came of age in the Internet, Napster and file-sharing, and a generation that is generally believed to be somewhat agnostic to the concept of copyright law. (This issue warrants a post by itself).
Back to the indictment: Swartz was alleged to have improperly accessed JSTOR, a subscription service allowing users to access a variety of academic journals. According to the indictment, Swartz initially downloaded articles from JSTOR through a guest account on MIT’s network on to an ACER laptop that he purchased for this purpose. Through the use of a program called “keepgrabbing,” Swartz allegedly was able to circumvent JSTOR’s limits on the number of articles a single person could download. However, after MIT and JSTOR detected his efforts and disabled his access multiple times, Swartz allegedly broke into a utility closet on MIT’s campus where he was able to connect his computer directly to the university network. (Prosecutors contend a surveillance camera captured him attempting to cover his face with a biking helmet). In total, Swartz allegedly downloaded around 4.8 million articles from JSTOR.
In July 2011, Swartz was indicted on federal charges, including wire fraud and thirteen separate violations of the CFAA. For these charges, Swartz faced up to thirty-five years in prison, as well as millions of dollars worth of fines. Swartz faced a trial on April and, as most of us now know, he committed suicide on January 11, 2013 after plea negotiations broke down.
Was the CFAA Part of the Problem? The CFAA has undergone a fair amount of criticism as of late, as the debate over U.S. v. Nosal last year showed. Numerous commentators have blamed the over breadth of the CFAA as the primary culprit for the Swartz tragedy. But is the CFAA really the problem here? To answer that question, we have to look at what Swartz did and then apply the statute as charged. (So that readers can judge for themselves, I am attaching the indictment below as a PDF).
Here is one of the better summaries of the alleged conduct that led to the indictment (again from Orin Kerr’s analysis): “… Swartz knew that the means he used to obtain the JSTOR database was unauthorized. He was playing a long-term cat-and-mouse game with MIT and JSTOR in which they repeatedly tried to get him off the network and he repeatedly figured out ways to get back on and get the files he wanted. He didn’t break into the closet because he liked closets; he was trying to find a way to do what MIT and JSTOR were trying to block. He wasn’t hiding his face from the video camera in the MIT closet out of shyness; he knew that he was doing something illegal and he was trying not to get caught. And when the police spotted him, he wasn’t surprised that they wanted to talk to him: According to the police report, he jumped off his bike and tried to outrun the police on foot. Further, Swartz’s conduct had real costs to others, ranging from costs to MIT in dealing with responding to his conduct to lost access to JSTOR for a few days for the entire campus.”
Many have criticized the CFAA because the indictment identified Swartz’s violations of the MIT’s online agreement as the basis for the charges. The reasoning goes that any violation of a computer use policy can potentially lead to an indictment by an overzealous prosecutor. However, as Andy Greenberg of Forbes has observed, the indictment was premised on more than the violation of the MIT computer use policy. He quotes Marcia Hoffman of the Electronic Freedom Foundation as follows: “When Swartz wrote a program that had his Acer laptop automatically download millions of academic papers from the restricted website JSTOR, after all, he ended up doing more than merely violating MIT’s and JSTOR’s terms of service, Hofmann points out. When registering an account with MIT that gave him initial access to the JSTOR documents, he used a pseudonym, “Gary Host.” And when MIT administrators noticed his computer downloading massive numbers of documents, they attempted to block his connection based on its IP and MAC addresses, measures that Swartz circumvented.”
Under the existing language of the CFAA, it is hard to argue that the conduct of which Swartz was accused would not violate the CFAA. His alleged actions would support an indictment that he either exceeded his authorization or acted without authorization in attempting to repeatedly download the documents from JSTOR. For this reason, those that have likened his conduct to checking out too many library books simply have not looked at the allegations within the indictment (assuming, of course, that the prosecutors’ allegations are taken as true). To again quote and paraphrase Orin Kerr’s meticulous analysis, the allegations regarding this cat-and-mouse game took place over 3 1/2 months, “in which he kept trying to gain access to the database and JSTOR kept trying to block him. They blocked his IP address; he changed it. They blocked his MAC address; he spoofed it. They blocked access and he broke into a restricted closet and connected directly to MIT’s network. This is not merely a case of breaching a written policy. Rather, this is a case of circumventing code-based restrictions by circumventing identification restrictions. I don’t see how that is particularly different from using someone else’s password, which is the quintessential access without authorization.”
Frankly, I think the more important question is whether Swartz undertook the alleged acts in question with the requisite “intent to defraud.” Swartz is alleged to have accessed the database for ideological reasons and not to enrich himself. While he appears to have intentionally accessed protected computers belonging to MIT and JSTOR “without authorization,” it seems to me that this element (which is necessary for a charge under 1030(a)(4) and which gives rise to Counts 3 through 7 of the indictment) was lacking here. Perhaps the prosecutors intended to argue that by engaging in the cat-and-mouse game detailed above, that was the requisite intent to defraud; however, since that is the conduct that supports the unauthorized access, this seems a reach, at least to me.
The prosecutors also used 1030(a)(2) for Counts 8 through 12 of the indictment, which omits this requirement of “intent to defraud.” Of the charges brought under the CFAA in this case, this one is the most problematic charge because it potentially permits the criminalization of any intentional access without authorization (or access that exceeds authorization) of any “information from any protected computer if the conduct involved an interstate or foreign communication.” That is extraordinarily broad.
As a practical matter, given the wide array of potential mischief that can be performed in cyberspace, the unfortunate reality is that prosecutors need a broad statute, particularly given that technological advances will always outpace the ability of Congress to legislate. Those attempting to improperly access a bank or company’s system may not be doing it for economic gain but may be seeking to inflict damage or havoc for ideological or political reasons. So I get why the criminal charges can’t be limited to charges of intent to defraud. However, the language 1030(a)(2) appears to be virtually limitless to me. So I can’t help but conclude that the CFAA, as presently written, is part of the problem.
Which will lead me to my next post, looking at the issue of prosecutorial discretion and proposed modifications to the CFAA.