Proposals are in the works to change the Computer Fraud and Abuse Act in the wake of hacker-activist Aaron Swartz’s untimely death, but those changes are important for reasons that go far beyond just Swartz’s suicide.

It’s been almost a month since hacker-activist Aaron Swartz took his own life at the age of 26, driven — according to those who knew him — by a combination of depression and the threat of jail time. The latter was a result of federal charges under the Computer Fraud and Abuse Act for an incident involving documents he downloaded from the JSTOR research archives. While proposals have been made for changes to the law as a result of his death, it’s important to think about all the other hackers who might be caught by the same net, even if they aren’t as appealing as Swartz.

In the wake of his suicide, Swartz’s case quickly became a cause celebre, and a group of legislators including Darrell Issa (R-Calif) — who was also instrumental in the fight against SOPA and PIPA — recently asked the Justice Department to look into the behavior of the U.S. attorney’s office in pressing for a severe penalty against the young hacker. Zoe Lofgren (D-Calif.) has also proposed a number of changes to the Computer Fraud and Abuse Act that would prevent the state from going after others for what Swartz did.

Breaching terms of use shouldn’t qualify as hacking

Among other things, those changes — some of which were proposed by users of Reddit during a session with Lofgren last month — would prevent prosecutors from pressing charges for simple breaches of a website’s terms of service or user agreement, which is one of the clauses in the CFAA that was used against Swartz. Changing a computer’s hardware address (which Swartz did in order to avoid detection) would also not qualify as criminal hacking.

Aaron's Law Act

But while Aaron Swartz’s experience has drawn some much-needed attention to the problems with outdated laws like the Computer Fraud and Abuse Act — which was written in 1986, before the web was even invented — we shouldn’t forget that others have also been hit with this overly broad and vague piece of legislation, even though they haven’t become popular causes in the way that Swartz has.

As Marcia Hoffman of the Electronic Frontier Foundation has pointed out, one of the most problematic parts of the CFAA is that the law makes it a crime to access a computer or website “without authorization” or in a way that “exceeds authorized access,” but those terms are never really defined. In a number of cases, prosecutors have defined them to mean that anyone accessing a web-based service in any way that isn’t explicitly approved by the terms of use is committing a crime under the act.

In 2008, for example, prosecutors used this aspect of the law to go after a woman who created a MySpace profile using an assumed name (although a judge declined to hear the case) — and as one security researcher has explained, the same principle could easily be used to charge anyone who simply goes to a website without the explicit permission of the owner.

Aaron Swartz

Aaron Swartz

One of those who has been caught in this particular net is almost the polar opposite of Aaron Swartz, although both were clearly hackers: Andrew Auernheimer, who is known by the online handle Weev, has also been found guilty and is facing potential jail time for unauthorized access to a computer or web service. In his case, Weev and a fellow hacker collected a list of AT&T customer email addresses by generating random URLs at the AT&T website, and then gave them to Gawker in what they said was an attempt to draw attention to AT&T’s lax security measures.

Unlike Swartz, who has been hailed by most of his friends and acquaintances — including luminaries such as Creative Commons founder Lawrence Lessig and even the creator of the World Wide Web, Sir Tim Berners-Lee — as a force for good and a crusader for openness and other just causes, Weev is somewhat notorious for being an online troll who reportedly delights in causing mischief, aggravation and hurt feelings wherever he goes.

Being a troll shouldn’t qualify as hacking either

All of that may make him less than appealing as a public cause, but the flaws in the Computer Fraud and Abuse Act are just as obvious in his case: in fact, what Weev did barely even qualifies as hacking, since he simply generated random iPad ID numbers and then used those to get the AT&T email addresses. In other words, the addresses were freely available and not hidden behind technological locks or passwords of any kind (Weev also made no attempt to use them or sell them).

The bottom line is that the CFAA isn’t worth scrapping or rewriting just because it was used to go after Swartz, or even Weev — the biggest issue is that it is so broad and technologically ignorant that it can be used to criminalize behavior that should barely even register as a nuisance, let alone a crime. Swartz’s downloading of JSTOR documents wasn’t serious enough for the archive to press charges, and yet the prosecutor chose to threaten the young hacker with jail time.

At its best, hacking of the kind that both Swartz and Weev engaged in is no different than the kind that Microsoft founder Bill Gates employed when he let lose a worm that shut down a corporate computer network when he was 14. Within reason, testing the limits of computer systems and revealing security holes is something for which we should be thanking hackers — or possibly admonishing them — not sentencing them to prison terms.

Post and thumbnail images courtesy of Shutterstock / ER 09 and Fred Benenson

  1. This is total bullshit. Weev has personally advocated racial genocide at least dozens of times in broadcast and public internet media. On a mens rea basis, he is guilty as sin and the night-and-day opposite from Aaron, having conspired to try to make “buttloads” of money with his iPad email address data in unchallenged evidentiary chat transcripts. Defending him without becoming aware of his detailed history is a terrible mistake, and is essentially equivalent to attacking CFAA reform outright. Shame!

    1. James, as I tried to explain on Twitter, I am not defending every statement Weev has ever made — he is clearly an unpleasant and possibly unbalanced individual. But he is still the target of an overly broad and unfair law, and I think that requires us to speak out, regardless of what we think of him personally.

      1. (copying replies from elsewhere)

        Indiscriminate adherence to ideals above working to achieve those ideals shows a lack of sound judgement and sincere commitment. The issue of the ACLU defending the KKK has been raised. How many hundreds of millions of dollars in donations and votes for the candidates that the ACLU supports did that cost them? Sure, the KKK can march in Skokie, but how many more blacks are in jail than whites in proportion to the number of their crimes, and what has the ACLU been able to do about it since they went that route?

        If you want to neuter the effectiveness of any public testimony you ever give by equating someone who devoted his life to achiving greater income equality with someone who has repeatedly gone on about how to murder the non-white two thirds of the Earth’s population, that’s your decision, but if you let your blind adherence to ideals get in the way of achieving them, what does that say about your trustworthiness? What does it say about the esteem in which you hold the ideals you claim to uphold?

        Weev is really good at seeming likable for someone who repeatedly advocates murder of jews and blacks. He uses every opportunity to try to ingratiate himself with anyone with whom he thinks he has a chance. But I reject the idea that his conviction was unjust even as I fight for reform of the unjust law he was convicted of breaking, because of his history, goals, means, and the state of his mind during the events in question. And more importantly, I can think of no example of CFAA abuse for which exposure in the media is more likely to entirely prevent CFAA reform this decade.

  2. We need a national dialogue on the practice of piling on charges to coerce defendants into accepting unjust plea bargains.

    The prosecution was apparently in the business of annihilation. Swartz faced spiritual annihilation and financial annihilation, with no viable means of escape. To my mind, our justice system is out of control. The prosecution took leave of their senses. Unfortunately, this kind of tragedy is all too commonplace, and most of the time goes unreported.

    The suicide of Aaron Swartz in the face of the appalling over-reach of unchecked discretionary prosecutorial power highlights a much larger problem that pervades our legal system.

    The entire US legal system (including criminal, civil, and family court divisions) is routinely used in an outrageously abusive manner.

    Those who are traumatized, stigmatized, or victimized by such shenanigans within the legal system may suffer what has come to be called Legal Abuse Syndrome.

    In the field of Medicine, every proposed treatment or cure has to be carefully studied and reviewed to ensure that it has demonstrated therapeutic value, and does not inadvertently spread, exacerbate, or even cause the malady it sets out to treat. In the medical literature, a treatment is called “iatrogenic” if it is counter-productive to the primary objective of curing disease.

    The field of Law does not employ such safeguards, and as a result a substantial fraction of our public policies and practices, operating under the color of law, turn out to be iatrogenic — ineffective at best and counter-productive at worst.

    Alan Simpson, the retired Senator from Wyoming, spent some three decades in Congress, during which time he helped craft and enact a great deal of legislation. But after he retired, he remarked that during his tenure in Washington politics, he discovered a law, the way a scientist would discover a natural law. Simpson said he discovered the Law of Unintended Consequences, meaning that the actual outcome of legislation, passed in good faith with an expectation of curing one of society’s ills, frequently turned out to have unanticipated, unexpected, and undesirable consequences. In science, if one is relying on a theoretical model, and the actual outcome of an experiment does not jibe with that predicted by the model, one is obliged to discard the model as unreliable.

    Our governmental systems are rife with unreliable models which give rise to unwise practices, many of which are ineffective at best and counter-productive at worst. We have built governmental systems that lack viable safeguards against iatrogenic treatments of many of our most problematic social ills.

    Here is an example of the kind of scholarly article one might find on JSTOR (which recently relaxed its policies to make many more of them freely available without a costly institutional subscription).

    “Punishment and Violence: Is the Criminal Law Based on One Huge Mistake?” by James Gilligan, Harvard University; published in the Journal of Social Research, Fall 2000.


  3. Swartz is not a martyr. Suicide is not a courageous act.


Comments have been disabled for this post