Updated June 26, 2013: Last week, Rep. Lofgren introduced Aaron’s Law in the House (pdf), clarifying the language of the law to “make clear that the CFAA does not outlaw mere violations of terms of service, website notices, contracts, or employment agreements.” The proposed amendment also ensures greater prison time is reserved for repeat offenders, rather than those facing multiple charges.
Before he died at the age of 26, Aaron Swartz could claim a number of internet-related accomplishments dating back to when he was only a teenager. Swartz, among other things, had laid the groundwork for the modern-day RSS feed, helped launch Creative Commons, and was a co-founder of the popular website Reddit. One of these accomplishments alone could qualify someone as a success, but Swartz was a pioneer and an innovator.
Despite these many contributions, Swartz faced legal trouble in July of 2011 when he was charged with thirteen counts of wire fraud and hacking, primarily under the Computer Fraud and Abuse Act. The charges were a result of Swartz’s use of MIT’s computer network to download over 4 million academic articles en masse from the online academic archive JSTOR. Swartz had set up a computer in an MIT closet and modified certain features of his computer to gain access to the JSTOR website through the MIT network. Swartz’s supposed plan was a show of political activism culminating in the release of those academic articles to the public for free. Swartz’s reasoning being that public funding was what paid for the articles themselves to begin with.
The federal prosecutor assigned to the case proceeded full force and Swartz was faced with the threat of upwards of 35 years in prison and a fine of $1 million. Swartz was offered a plea deal of six months in prison, but was also told by the prosecutor that it was likely a seven-year sentence would be sought at trial. Swartz had to make a decision, and no matter what he decided, prison time would be involved. His trial date was scheduled for this coming April, but instead of facing the prospect of prison time, Swartz chose to take his own life on January 11, 2013. While suicide typically is not the product of one single factor, it is clear that the prospect of any prison time at all contributed significantly to Swartz’s decision.
The “Hacker” Culture and Mentality.
Swartz’s beliefs in openness and collaboration were a product of what could be summed up as a “hacker mentality.” Hacking as a way to promote openness and political activism can be traced back to the 1950’s when the national phone line network was dominated by a single company, Ma Bell (AT&T), and “phone phreaks” hacked their way into the system to make calls for free. These “phone phreaks” eventually saw their hacking grow to be part of the counterculture in the 1970’s, with the most famous of them being two entrepreneurs by the name of Steve Jobs and Steve Wozniak, who went on to start a little-known company by the name of Apple.
While the descriptor “hacking” is not always used to describe harmful activities, it typically carries a negative connotation in the media. Countries like the United States and China are constantly involved in both offensive and defensive cyber-warfare. Anonymous, one of the most public groups associated with hacking, wreaks havoc on various organizations’ websites, including the highly relevant example of their hacking and subsequent defacement of the U.S. Sentencing Commission’s website in response to Aaron Swartz’s death.
Despite the popular attention given to the harmful use of hacking, there has been positive media coverage of the mentality behind the hacker movement as well. Perhaps the most covered example was the collective blackout of the internet in response to Congress’ attempt to pass the controversial legislation SOPA and PIPA in 2012. Numerous popular websites blacked out their logos or took themselves offline to promote openness and awareness on the internet.
The coverage of the case against Aaron Swartz has primarily focused on the issue of prosecutorial discretion following Swartz’s death. However, attention is now turning to the law Swartz was accused of violating and whether his actions actually constituted “hacking” worthy of prosecution.
The Computer Fraud and Abuse Act.
The Computer Fraud and Abuse Act (CFAA), 5 originally signed into law in the mid-1980’s, primarily focuses on protecting computers belonging to the government and financial institutions. The CFAA also protects a computer “which is used in or affecting interstate or foreign commerce or communication.” At the most basic of levels, the CFAA forbids anyone from accessing a computer without, or in excess of, authorization in order to obtain information from any protected computer.
An individual who violates, or conspires to violate, the CFAA can be subject to a fine, imprisonment, or both. The maximum prison sentence can range anywhere from one to twenty years for a violation if the actions were taken against the government, a financial institution, or a protected computer in general. The higher end of that range is typically associated with violations that involve national security or result in damage or loss. When the violation involves damage or loss, then the violator may be subject to civil liability as well.
While the CFAA was signed into law well before the internet became “the internet,” the Act has found its way into the limelight a number of times with high profile violations being particularly tied to the internet. One of the most well-known cases involving the CFAA arose from events in 2010 when Pfc. Bradley Manning, an American soldier, was accused of obtaining classified documents and leaking them to the website WikiLeaks. The resulting data dump by WikiLeaks produced untold damage to the United States’ image abroad. Pfc. Manning is set to stand trial in June of this year for 22 charges, including multiple violations of the CFAA concerning both his accessing the materials and the subsequent transmittal to WikiLeaks.
While a vast majority of the population is unlikely to violate national security or take the extra steps that Aaron Swartz did to access the JSTOR archives, the internet itself has made virtually anyone and everyone potentially subject to violating the CFAA.
Anyone Using a Computer Connected to the Internet Opens Themselves up to Potential Liability.
Where the CFAA shows its age is in how the element of “obtaining information from any protected computer” may be satisfied. In the early-1980’s, when the law was originally contemplated, this would seemingly have to be accomplished by physically sitting down at a computer. In the present day, such a task can be satisfied by the mere use of a computer to access a website and read any response from that site once it has loaded. Even the training manual for United States Attorneys on how to go about prosecuting computer crimes under the CFAA acknowledges that “it is enough that the computer is connected to the Internet.” 6
To further illustrate the point, reading this article satisfies the requisite element of “obtaining information.” The very nature and infrastructure of the internet has opened up potential liability under the Act to virtually everyone.
Exceeding the Scope of Authorized Access is Easier to Accomplish than One Might Expect
The issue of liability then turns on the fact that while the language of “without authorization” in the CFAA may seem fairly straightforward, enforcement has been quite the opposite. Conceivably the most worrisome aspect of the law as it stands today is that “without authorization” may include a computer user who violates a website’s terms of service or use.
Terms of service or use refers to the seemingly boilerplate language almost all users skim over while clicking through the sign-up process for an online account. Terms of service agreements have especially found a way into the news as of late, as recently highlighted by the public outcry over Instagram’s modifications to its terms of service. When Instagram changed the language of its terms to be more user-friendly (i.e., readable), the internet-at-large immediately went up in arms under the assumption that the photo sharing website would now generate money from its users’ pictures without compensating those users. Kim Kardashian, the most followed celebrity on Instagram, publicly took to Twitter saying “I need to review this new policy.” The thought of Kim Kardashian sitting down to read the terms of service for a website is highly amusing, but it does serve to highlight the fact that the rules users agree to abide by every day on the internet are simply not reviewed prior to agreeing to them.
To further compound the situation for the vast majority of users, even if a user is made aware of a website’s terms of service it is fairly easy for a violation to still occur. Websites such as Facebook or Google constantly update the terms of service for their respective websites to reflect and anticipate the way the websites are used. But other websites may not update their terms for years, and antiquated terms of service can be an issue when they no longer reflect the way things are done on the internet.
Other factors will usually determine if a violation of the CFAA has ultimately occurred and if it is a violation the U.S. Attorney’s office will deem worthy of prosecuting. However, it should be noted that within the courts there is a discrepancy in whether the violation of terms of service agreements does indeed open up a user to criminal or civil liability under the CFAA. Interpretation of the CFAA is inconsistent across jurisdictions, and can even be inconsistent within the same jurisdiction as illustrated by the following two cases from California.
In United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009), a mother created a fake MySpace account to pose as a teenage boy and form an online relationship with a teenage girl who was bullying her daughter. The mother eventually broke off the relationship and told the young girl that “the world would be a better place without her in it.” Within hours, the young girl committed suicide and the mother was charged with violating the CFAA. The trial court held that prosecution could not be based upon a violation of a website’s terms of service because such an interpretation of the CFAA would violate the void-for-vagueness doctrine.
In eBay Inc. v. Digital Point Solutions, Inc., 608 F. Supp. 2d 1156 (N.D. Cal. 2009), online auction website eBay entered into an agreement with an advertising company where eBay would pay the company based on the number of clicks on its ads. When the company used a scheme to game the system, eBay filed suit under the CFAA’s civil provision. Although eBay’s claim was eventually dismissed on a procedural matter, the trial court plainly stated in its analysis that allegations “with respect to access and use beyond those set forth in a user agreement constitute unauthorized use under the CFAA.”
What the Future Holds for Internet Users and the CFAA.
While it is hard to imagine anything positive arising out of someone’s untimely death, the increasing indignation over Aaron Swartz’s suicide has resulted in key Congressmen publicly announcing their intention to take a second look at the CFAA. Senator Ron Wyden (D-Oregon), though acknowledging the process in Washington is a slow one, has said he plans to speak with members of both parties in the Judiciary Committee about how to modify the CFAA. House Judiciary Chairman Bob Goodlatte (R-Virginia) has announced that the committee will examine the Act, but that at the moment much of that review will focus on preventing abuse of the law rather than changing the actual language of the law.
The most intriguing reaction to the Swartz tragedy has been that of Representative Zoe Lofgren (D-California), who posted a draft of a bill on Reddit, the site that Swartz co-founded. Referred to as “Aaron’s Law,” the initial draft proposed to narrow the CFAA in a way that violating a company’s terms of service would not constitute criminal hacking under the Act. However, after receiving numerous comments on the draft, Rep. Lofgren posted a revised version further narrowing the language of the Act and specifically addressing certain actions under which Swartz faced prosecution.
It is possible the Supreme Court of the United States could reconcile the split in interpretation in the future, but it is far more likely that legislation will be the vehicle to rein in the reach of the Computer Fraud and Abuse Act. If activists and Congressmen keep Aaron Swartz’s memory alive, then perhaps sometime soon the simple act of reading this article may no longer have the potential for opening up the reader to a violation of federal law.