It’s been almost a month since hacker-activist Aaron Swartz took his own life at the age of 26, driven — according to those who knew him — by a combination of depression and the threat of jail time. The latter was a result of federal charges under the Computer Fraud and Abuse Act for an incident involving documents he downloaded from the JSTOR research archives. While proposals have been made for changes to the law as a result of his death, it’s important to think about all the other hackers who might be caught by the same net, even if they aren’t as appealing as Swartz.
In the wake of his suicide, Swartz’s case quickly became a cause celebre, and a group of legislators including Darrell Issa (R-Calif) — who was also instrumental in the fight against SOPA and PIPA — recently asked the Justice Department to look into the behavior of the U.S. attorney’s office in pressing for a severe penalty against the young hacker. Zoe Lofgren (D-Calif.) has also proposed a number of changes to the Computer Fraud and Abuse Act that would prevent the state from going after others for what Swartz did.
Among other things, those changes — some of which were proposed by users of Reddit during a session with Lofgren last month — would prevent prosecutors from pressing charges for simple breaches of a website’s terms of service or user agreement, which is one of the clauses in the CFAA that was used against Swartz. Changing a computer’s hardware address (which Swartz did in order to avoid detection) would also not qualify as criminal hacking.
But while Aaron Swartz’s experience has drawn some much-needed attention to the problems with outdated laws like the Computer Fraud and Abuse Act — which was written in 1986, before the web was even invented — we shouldn’t forget that others have also been hit with this overly broad and vague piece of legislation, even though they haven’t become popular causes in the way that Swartz has.
A broad and overly vague legal net
In 2008, for example, prosecutors used this aspect of the law to go after a woman who created a MySpace profile using an assumed name (although a judge declined to hear the case) — and as one security researcher has explained, the same principle could easily be used to charge anyone who simply goes to a website without the explicit permission of the owner.
One of those who has been caught in this particular net is almost the polar opposite of Aaron Swartz, although both were clearly hackers: Andrew Auernheimer, who is known by the online handle Weev, has also been found guilty and is facing potential jail time for unauthorized access to a computer or web service. In his case, Weev and a fellow hacker collected a list of AT&T customer email addresses by generating random URLs at the AT&T website, and then gave them to Gawker in what they said was an attempt to draw attention to AT&T’s lax security measures.
Unlike Swartz, who has been hailed by most of his friends and acquaintances — including luminaries such as Creative Commons founder Lawrence Lessig and even the creator of the World Wide Web, Sir Tim Berners-Lee — as a force for good and a crusader for openness and other just causes, Weev is somewhat notorious for being an online troll who reportedly delights in causing mischief, aggravation and hurt feelings wherever he goes.
Being a troll shouldn’t qualify as hacking either
All of that may make him less than appealing as a public cause, but the flaws in the Computer Fraud and Abuse Act are just as obvious in his case: in fact, what Weev did barely even qualifies as hacking, since he simply generated random iPad ID numbers and then used those to get the AT&T email addresses. In other words, the addresses were freely available and not hidden behind technological locks or passwords of any kind (Weev also made no attempt to use them or sell them).
The bottom line is that the CFAA isn’t worth scrapping or rewriting just because it was used to go after Swartz, or even Weev — the biggest issue is that it is so broad and technologically ignorant that it can be used to criminalize behavior that should barely even register as a nuisance, let alone a crime. Swartz’s downloading of JSTOR documents wasn’t serious enough for the archive to press charges, and yet the prosecutor chose to threaten the young hacker with jail time.
At its best, hacking of the kind that both Swartz and Weev engaged in is no different than the kind that Microsoft founder Bill Gates employed when he let lose a worm that shut down a corporate computer network when he was 14. Within reason, testing the limits of computer systems and revealing security holes is something for which we should be thanking hackers — or possibly admonishing them — not sentencing them to prison terms.